CN102405630A - A system of multiple domains and domain ownership - Google Patents
A system of multiple domains and domain ownershipDownload PDFInfo
- Publication number
- CN102405630A CN102405630ACN2010800175472ACN201080017547ACN102405630ACN 102405630 ACN102405630 ACN 102405630ACN 2010800175472 ACN2010800175472 ACN 2010800175472ACN 201080017547 ACN201080017547 ACN 201080017547ACN 102405630 ACN102405630 ACN 102405630A
- Authority
- CN
- China
- Prior art keywords
- domain
- domains
- owner
- thsm
- platform
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Granted
Links
Images
Classifications
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F15/00—Digital computers in general; Data processing equipment in general
- G06F15/16—Combinations of two or more digital computers each having at least an arithmetic unit, a program unit and a register, e.g. for a simultaneous processing of several programs
- G—PHYSICS
- G06—COMPUTING OR CALCULATING; COUNTING
- G06F—ELECTRIC DIGITAL DATA PROCESSING
- G06F17/00—Digital computing or data processing equipment or methods, specially adapted for specific functions
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
- H04L63/205—Network architectures or network communication protocols for network security for managing network security; network security policies in general involving negotiation or determination of the one or more network security mechanisms to be used, e.g. by negotiation between the client and the server or between peers or by selection according to the capabilities of the entities involved
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L65/00—Network arrangements, protocols or services for supporting real-time applications in data packet communication
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/04—Key management, e.g. using generic bootstrapping architecture [GBA]
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/08—Access security
- H04W12/086—Access security using security domains
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/10—Integrity
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- General Engineering & Computer Science (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- Theoretical Computer Science (AREA)
- Physics & Mathematics (AREA)
- Software Systems (AREA)
- General Physics & Mathematics (AREA)
- Mathematical Physics (AREA)
- Databases & Information Systems (AREA)
- Data Mining & Analysis (AREA)
- Multimedia (AREA)
- Mobile Radio Communication Systems (AREA)
- Telephonic Communication Services (AREA)
- Communication Control (AREA)
- Telephone Function (AREA)
Abstract
Description
Translated fromChinese相关申请的交叉引用Cross References to Related Applications
本申请基于2009年4月20日提交的申请号为61/171,013的美国临时专利申请以及2009年7月17日提交的申请号为61/226,550的美国临时专利申请,并且据此要求享有这两项申请的优先权,其中这些申请的公开内容在这里全部引入以作为参考。This application is based upon, and claims the benefit of, U.S. Provisional Patent Application No. 61/171,013, filed April 20, 2009, and U.S. Provisional Patent Application No. 61/226,550, filed July 17, 2009. priority of the above applications, the disclosures of which are hereby incorporated by reference in their entirety.
背景技术Background technique
现今存在着多种使用了可以或者不可以与其他设备或实体通信的计算设备的情形,在此类情形中,设备或设备内部的某个部分或计算环境为个人、组织或其他某个实体所“拥有”。我们提到的“拥有”是指该设备或是其内部的某个部分或计算环境可以通过实体验证,此后该实体可以对设备或是其某个部分采用某种形式的控制。这种情形的一个示例存在于无线移动通信产业中,其中诸如移动电话之类的无线设备的用户可以预订(subscribe)特定移动通信网络运营商的服务。There are many situations today in which a computing device is used that may or may not communicate with other devices or entities, where the device or some portion within the device or computing environment is owned by an individual, organization, or some other entity "have". When we refer to "possession" we mean that the device or some part of it or the computing environment can be verified by an entity, after which the entity can take some form of control over the device or some part of it. An example of such a situation exists in the wireless mobile communications industry, where a user of a wireless device, such as a mobile phone, can subscribe to the services of a particular mobile communications network operator.
在现今的移动通信产业中,用户可以借助无线设备可以预订特定网络运营商的服务,并且此类无线设备通常包括用户身份模块(SIM)或通用集成电路卡(UICC)。SIM/UICC为无线设备提供了安全的运行和存储环境,从中可以执行验证算法以及保存证书,其中所述证书允许设备向网络运营商验证该设备用户与网络运营商的预订,并且允许网络运营商对设备具有某种形式的控制权,即所有权。不幸的是,这种SIM/UICC机制通常仅限于用于单个网络运营商。In today's mobile communication industry, a user can subscribe to a service of a specific network operator by means of a wireless device, and such a wireless device usually includes a Subscriber Identity Module (SIM) or a Universal Integrated Circuit Card (UICC). The SIM/UICC provides a secure operating and storage environment for wireless devices, from which authentication algorithms can be executed and certificates can be stored, wherein the certificates allow the device to verify the device user's subscription with the network operator to the network operator, and allow the network operator to Have some form of control over the device, known as ownership. Unfortunately, this SIM/UICC mechanism is usually limited to use with a single network operator.
因此,在现今众多的计算环境、例如在上文结合移动通信设备描述的情形中存在一个问题,那就是计算设备整体通常只限于被单个实体拥有。在很多情况中,所有权必须在用户购买设备时建立,由此阻碍了那些需要在以后建立所有权的商业模型。更进一步,对于设备中的多个相互隔离的部分需要具有多个所有权或者需要不时将所有权转换到其他实体的状况而言,这些限制将会阻碍设备在这些状况中的使用。例如,对诸如移动电话这类无线移动通信设备而言,用户通常需要在购买时预订特定移动网络运营商的服务,而在那些只有在购买了无线设备之后的某个时间才有可能知道移动网络运营商的应用中,此类设备通常是禁止使用的。此外,此类设备也无法一次提供针对多个运营商网络的访问。移动网络和服务预订的更新和变更有可能会很困难,并且通常无法通过空中接口来执行这些处理。Thus, a problem in many computing environments today, such as those described above in connection with mobile communication devices, is that the entirety of the computing device is usually limited to being owned by a single entity. In many cases, ownership must be established when the user purchases the device, thereby preventing business models that require ownership to be established at a later date. Further, these limitations would hinder the use of the device in situations where multiple isolated parts of the device need to have multiple ownerships or need to transfer ownership to other entities from time to time. For example, for wireless mobile communication devices such as mobile phones, users usually need to subscribe to the service of a specific mobile network operator at the time of purchase, while those who only know the mobile network operator at some time after purchasing the wireless device Such devices are usually prohibited in the carrier's application. Also, such devices cannot provide access to multiple carrier networks at once. Updates and changes to mobile networks and service subscriptions can be difficult and often cannot be performed over the air interface.
特别地,在无线移动通信设备的情况中,虽然SIM/UICC机制通常被认为是非常安全的,但是这种安全性并没有与其所在的整个设备的安全属性紧密联系在一起。这样做限制了将缩放安全性(scaling security)概念应用于诸如移动金融交易之类的高级服务和应用。特别地,这些缺陷与诸如机器对机器(M2M)通信设备之类的自动设备相关。In particular, in the case of wireless mobile communication devices, although the SIM/UICC mechanism is generally considered to be very secure, this security is not closely tied to the security properties of the entire device in which it resides. Doing so limits the application of scaling security concepts to advanced services and applications such as mobile financial transactions. In particular, these deficiencies are related to automated devices such as machine-to-machine (M2M) communication devices.
因此,所需要的是一种更为动态和安全的解决方案。Therefore, what is needed is a more dynamic and secure solution.
发明内容Contents of the invention
为了克服如上所述的当前系统中的至少一些缺陷,在这里公开了在提供了针对一个或多个设备上的一个或多个独立域的系统级(wide)管理等级的同时,允许一个或多个不同的本地或远端所有者拥有或控制这些域的方法和手段。用于实现这些方法和装置的示例系统可以包括一个或多个设备,其中每个设备都可以包括由至少一个平台支持的一个或多个域。每个平台都可以为这些域提供低等级计算、存储或通信资源。平台可以包括一些硬件、操作系统、一些低等级固件或软件(例如引导码、BIOS、API、驱动器、中间件或虚拟化软件)、以及一些高等级固件或软件(例如应用软件)和用于这些资源的相应配置数据。每个域都可以包括在至少一个平台上运行的计算、存储或通信资源配置,并且每个域都可以被配置成为可能处于域本地或远离域的域所有者执行功能。每个域都可以有不同的所有者,并且每个所有者都可以规定用于操作其域的策略、以及用于结合域所在平台和其他域来操作其域的策略。To overcome at least some of the deficiencies in current systems as described above, it is disclosed herein to allow one or more methods and means by which different local or remote owners own or control these domains. An example system for implementing the methods and apparatus may include one or more devices, each of which may include one or more domains supported by at least one platform. Each platform can provide low-level computing, storage, or communication resources to these domains. A platform may include some hardware, an operating system, some low-level firmware or software (such as boot code, BIOS, API, drivers, middleware, or virtualization software), and some high-level firmware or software (such as application software) and The corresponding configuration data for the resource. Each domain can include a configuration of computing, storage, or communication resources running on at least one platform, and each domain can be configured to perform functions for domain owners who may be local to the domain or remote from the domain. Each domain can have different owners, and each owner can prescribe policies for operating their domain, and policies for operating their domain in conjunction with the domain's platform and other domains.
系统级域管理器可以驻留在其中一个域上。系统级域管理器可以实施其所在的域上的策略,并且可以协调其他域如何结合系统级域管理器所在的域来实施其相应操作。此外,系统级域管理器还可以根据其他域的相应策略来协调这些域之间的交互。系统级域管理器所在的域可以被提供所述域的设备的所有者拥有。可替换地,此类域可以被未必拥有提供所述域的设备的所有者拥有。A system-level domain manager can reside on one of the domains. A system-level domain manager can enforce policies on its domain, and can coordinate how other domains implement their corresponding actions in conjunction with the system-level domain manager's domain. In addition, the system-level domain manager can also coordinate the interaction between these domains according to the corresponding policies of other domains. The domain in which the system-level domain manager resides may be owned by the owner of the device providing the domain. Alternatively, such domains may be owned by owners who do not necessarily own the device providing the domain.
在以下的详细描述和附图中提供了这里描述的系统、方法和手段的其他特征。Additional features of the systems, methods, and instrumentalities described herein are provided in the following detailed description and accompanying drawings.
附图说明Description of drawings
图1示出的是可以使用这里描述的方法和装置的示例系统;Figure 1 illustrates an example system in which the methods and apparatus described herein may be used;
图2示出的是在用户设备(UE)中实施这里描述的方法和装置的系统的一个实施方式;Figure 2 shows an embodiment of a system for implementing the methods and devices described herein in a user equipment (UE);
图3和3A示出的是用于获取域的所有权的示例引导和处理;Figures 3 and 3A illustrate example guidance and processes for acquiring ownership of a domain;
图4和4A示出的是用于获取域的所有权的处理的示例呼叫流程图;Figures 4 and 4A illustrate example call flow diagrams for the process of acquiring ownership of a domain;
图5和5A示出的是用于获取具有完全认证的域所有权的处理的示例呼叫流程图;Figures 5 and 5A illustrate example call flow diagrams for the process of acquiring domain ownership with full authentication;
图6示出的是可信硬件预订模块的一个实施方式的示例状态定义、变换以及控制点定义;Figure 6 illustrates example state definitions, transitions, and control point definitions for one embodiment of a trusted hardware subscription module;
图7示出的是远端所有者可以获取的示例状态以及可能在动态管理的环境中引起变换的条件。Figure 7 shows example states that a remote owner can obtain and the conditions that may cause transitions in a dynamically managed environment.
具体实施方式Detailed ways
为了克服上述当前系统的至少一些缺陷,在这里公开了在为一个或多个设备上的一个或多个独立域提供系统管理等级的同时,允许一个或多个不同的本地或远端所有者拥有或控制这些域的方法和装置。用于实现这些方法和装置的示例系统可以包括一个或多个设备,其中每个设备都可以具有由至少一个平台支持的一个或多个域。每个平台都可以为这些域提供低等级计算、存储或通信资源。平台可以包括一些硬件、操作系统、以及其他低等级固件或软件(例如引导码、BIOS和驱动器)和用于这些资源的相应配置数据。每个域都可以包括在至少一个平台上运行的计算、存储或通信资源配置,并且每个域都可以被配置成为可能处于域本地或远离域的域所有者执行功能。每个域都可以有不同所有者,并且每个所有者都可以规定用于操作其域的策略、以及用于结合域所在平台和其他域来操作其域的策略。To overcome at least some of the deficiencies of the current systems described above, it is disclosed herein to allow one or more different local or remote owners to have Or methods and apparatus for controlling these domains. An example system for implementing the methods and apparatus may include one or more devices, each of which may have one or more domains supported by at least one platform. Each platform can provide low-level computing, storage, or communication resources to these domains. A platform may include pieces of hardware, an operating system, and other low-level firmware or software (eg, boot code, BIOS, and drivers) and corresponding configuration data for these resources. Each domain can include a configuration of computing, storage, or communication resources running on at least one platform, and each domain can be configured to perform functions for domain owners who may be local to the domain or remote from the domain. Each domain can have different owners, and each owner can prescribe policies for operating their domain, and policies for operating their domain in conjunction with the domain's platform and other domains.
就计算、存储或通信资源(从输入的角度来看),或者是由所述域使用此类计算、存储或通信资源所提供的功能(从输出的角度来看)而言,每一个域都可以与其他域隔离。每个域都可以利用计算、存储或通信资源,或者是通用基础平台的功能。一些域可以共享公共平台提供的一些这样的功能。这种平台资源功能的共享可以采用这样一种方式完成:其中每个域的公共资源或功能运用都可以与别的域的此类运用相隔离。例如,这种隔离可以通过由设备的平台对其提供给每一个域的资源实施严格的访问控制来实现,由此,只有处于域外部并得到平台和/或域所有者授权的一个或多个用户、一个或多个所有者或其他实体或进程才被允许访问所述域的资源。只要域的功能取决于设备上的域以外的设备资源,那么平台还可以简单地包含不属于该设备上的隔离域的设备的部分。Each domain is, in terms of computing, storage, or communication resources (from an input point of view), or the functionality provided by said domain using such computing, storage, or communication resources (from an output point of view), Can be isolated from other domains. Each domain can utilize computing, storage, or communication resources, or functions of a common underlying platform. Some domains may share some of these functions provided by the common platform. This sharing of platform resource functions can be accomplished in such a way that the common resource or functional use of each domain can be isolated from such use in other domains. Such isolation can be achieved, for example, by the device's platform enforcing strict access controls to the resources it provides to each domain, whereby only one or more Users, one or more owners, or other entities or processes are allowed to access the domain's resources. The platform can also simply contain parts of the device that are not part of the isolated domain on the device, as long as the functionality of the domain depends on device resources outside the domain on the device.
处于相同或不同平台或是相同或不同设备上的任何两个域之间的通信都可以是安全的,这意味着域能以一种安全的方式相互验证(例如通过使用加密装置),并且能在置信度、完整性和新鲜度这类安全方面保护其间交换的消息。由域所在的一个或多个平台提供的加密装置可以用于在任何两个域之间提供这种安全通信。Communication between any two domains on the same or different platforms or on the same or different devices can be secure, meaning that the domains can authenticate each other in a secure manner (for example, by using cryptographic means), and can The messages exchanged between them are protected with security aspects such as confidence, integrity, and freshness. Cryptographic means provided by the platform or platforms on which the domains reside can be used to provide such secure communication between any two domains.
系统级域管理器可以驻留在其中一个域上。该系统级域管理器可以实施其所在域上的策略,并且可以协调其他域结合系统级域管理器所在的域来实施其相应操作。此外,系统级域管理器还可以根据其他域的相应策略来协调这些域之间的交互。系统级域管理器所在的域可以被提供所述域的设备的所有者。可替换地,此类域也可以被未必拥有提供所述域的设备的所有者拥有。A system-level domain manager can reside on one of the domains. The system-level domain manager can implement the policies of the domain where it is located, and can coordinate other domains to implement corresponding operations in conjunction with the domain where the system-level domain manager is located. In addition, the system-level domain manager can also coordinate the interaction between these domains according to the corresponding policies of other domains. The domain in which the system-level domain manager resides may be provided as the owner of the devices of the domain. Alternatively, such domains may also be owned by owners who do not necessarily own the device providing the domain.
图1示出了此类系统的一个实施方式。如图1所示,该系统可以包括一个或多个设备100、110和120。每个设备都可以包括由至少一个平台支持的一个或多个域。例如,设备100可以包括域106以及一个或多个其他域101、102。虽然在这里为设备100示出了三个域,但在其他实施方式中,域的数量有可能更多或更少。这其中的每个域101、102、106都可以包括在设备的至少一个平台105上运行的计算、存储或通信资源的配置。每个域都可以被配置成为处于所述域本地或者远离域的域所有者执行功能。例如,域106有可能被设备所有者(未显示)拥有,而域101、102则有可能被一个或多个远端所有者拥有。每一个域都有可能有不同的所有者,或者设备的一个以上的域有可能被同一所有者拥有。每一个所有者都可以规定用于操作其域的策略、以及用于结合域操作平台、域所在设备以及相同或不同设备内部的其他域来操作其域的策略。Figure 1 shows one embodiment of such a system. As shown in FIG. 1 , the system may include one or
如所描述的,该系统还可以包括留有其他域的其他设备。例如,设备110可以包括域111和112,其中每个域都有可能被相同的远端所有者拥有。当然,每一个域111和112都可以改为由不同所有者拥有。每一个域111、112都可以包括在设备110的平台115上运行的计算、存储或通信资源配置。类似地,设备120可以包括域111和112。如本示例所示,这其中的每个域都可以被不同所有者拥有。可替换地,这些域也可以被同一所有者拥有。同样,每个域121、122都可以包括在设备120的平台125上运行的计算、存储或通信资源的配置。As described, the system may also include other devices leaving other domains. For example,
系统级域管理器(SDM)107可以驻留在其中一个域上。在本示例中,SDM 107驻留在设备100的域106上。在一个实施方式中,SDM(例如域106)所在的域被设备100的所有者拥有。SDM 107经由设备100中提供的通信机制来与设备100上的远端域101通信。此外,SDM 107还经由相应的通信信道131、132、141、142来与其他设备上的域通信,其中所述信道可以是有线或无线信道。通信信道131、132、141、142可以是安全的。SDM 107可以实施其所在的域106的策略,并且可以通过与域106相结合的其他域101、111、112、121、122的相应策略来协调这些域的实施。此外,SDM 107还可以根据其他域的相应策略以及SDM所在域的策略(该策略可以是特定域的所有者的策略)来协调其他域之间的交互。A System Domain Manager (SDM) 107 may reside on one of the domains. In this example,
举个例子,在一个实施方式中,域有可能被服务供应商拥有。例如,设备100的域102有可能被服务供应商(例如,仅作为示例,移动网络运营商)拥有。域102可以通过执行用户身份模块(SIM)功能来验证设备100,在某些情况中也可以等价地验证设备所有者或用户与移动网络运营商的预订关系,以便允许设备100与服务供应商之间的通信。For example, in one embodiment, a domain may be owned by a service provider. For example,
除了上述SDM功能之外,SDM 107还可以访问信息并且提供可用于一个或多个域的资源列表。SDM 107也可以监督远端所有者拥有的域的加载和维护状况。此外,SDM 107可以为其所在设备100的用户提供能够加载的域的列表,并且可以请求用户选择加载所列举的域中的哪些域。SDM还可以评估平台或设备上是否有足够的计算资源供加载,并由此支持一个或多个域的操作。In addition to the SDM functions described above, the
如上所述,SDM 107既可以参与实施其自身的一个或多个策略(在这里可以称为)系统级策略(SDP),也可以参与实施其他域的策略(即特定于域的策略(DP))。在评估是否加载新的域的时候,SDM 107可以考虑一个或多个已有域的策略。例如,远端所有者拥有的指定域的策略可以规定:在某种类型的其他域活动的时候,将所述域置于不活动状态。在另一个示例中,远端所有者拥有的指定域的策略可以规定:在某个其他远端所有者拥有的其他域活动的时候,将所述指定域置于不活动状态。在再一个示例中,远端所有者拥有的指定域的策略可以规定:在某种类型的其他域活动的时候,将指定域的操作限制为某种或某些特定方式。在进一步的示例中,远端所有者拥有的指定域的策略可以规定:在某一个其他远端所有者拥有的别的域活动的时候,将指定域的操作限制为某种或某些特定方式。SDM 107可以负责实施所有这些类型的策略。As noted above, the
SDM 107还可以在以后建立或加载那些可能被远端所有者得到所有权的域。例如,这些域可以在一个其不为任何所有者拥有的状态中建立,在这里将这种状态称为“原始”状态,此外,SDM 107还可以对远端所有者的域所有权的建立进行管理。The
为此目的,SDM 107可以为远端所有者传送该远端所有者可能会在确定是否建立域的所有权的过程中加以考虑的信息。这些信息可以包括下列各项中的至少一项:(i)用于证实被寻求所有权的域的完整性的信息;以及(ii)用于证实系统中至少一个其他域的完整性的信息。该信息还可以包括:(i)用于证实资源由被寻求所有权的域操作的平台的完整性信息;以及(ii)用于证实资源由系统中的至少一个其他域操作的平台的完整性信息。此外,该信息可以包括与设备的当前环境相关的信息。这些信息可以包括下列各项中的至少一项:(i)用于指示系统中的多个其他域的值;(ii)用于提供系统中的其他域的概要特征的信息;以及(iii)用于规定可供正被尝试建立所有权的域使用的平台资源的信息。为远端所有者提供的系统中其他域的信息量可以以这些其他域在保密性和/或隔离性方面的相应策略为条件。To this end, the
在远端所有者得到域的所有权之后,该远端所有者可以对所述域进行一定程度的控制。例如,在远端所有者建立了域的所有权之后,所述域可以接收来自远端所有者的密钥、配置信息、参数以及可执行代码中的至少一项,以便增强域的功能。在另一个示例中,在远端所有者确定了域的所有权之后,所述域可以从远端所有者接收特定于其域的策略。After the remote owner takes ownership of the domain, the remote owner can exercise some degree of control over the domain. For example, after the remote owner establishes ownership of the domain, the domain may receive at least one of keys, configuration information, parameters, and executable code from the remote owner to enhance the functionality of the domain. In another example, after the remote owner determines ownership of the domain, the domain may receive policies specific to its domain from the remote owner.
这里公开的系统还可以规定一个或多个域的隔离性和安全性。例如,一个或多个域可以包括与其他域隔离的安全运行和存储环境。对于建立了一个或多个域的设备的平台、例如图1中的设备100的平台105来说,为了实现这种安全环境,该平台可以包括可信根103。可信根103可以包括不可变并且不可移动的硬件资源集合,其中该集合的完整性是预先确定的,并且可以依赖于包括域的远端所有者在内的其他内容。对于诸如域101这样的域来说,其完整性可以由可信根103锚定的信任链建立。例如,域101的完整性可以通过将域101中至少一个组件的量度与参考完整性度量进行比较来确定,其中所述量度可以由可信根103产生,所述度量可以保存在可信根103中,并且可供可信根用以检验域的完整性。可替换地,参考完整性度量可以由远端所有者存储,并且该量度可以传送至远端所有者,以便与参考完整性度量进行比较。如果该量度与参考完整性度量匹配,则域的完整性可以通过检验。在一个例示实施方式中,量度可以包括在组件上计算的散列(hash),参考完整性度量可以包括先前在组件上计算并带有数字证书的散列,其中所述数字证书提供的是关于参考完整性度量的真实性的指示。参考完整性度量可以在制造时或是将设备交付其所有者时预先在设备中提供。参考完整性度量也可以在制造/供应了设备之后从远端源经由通信信道(例如空中下载无线通信信道)递送至其所有者,并且可以在交付之后才在设备中供应。参考完整性度量可以以包含于证书中的方式交付设备。该证书可以由可信第三方检验,以便在其被交付给设备之后使用。The systems disclosed herein can also provide for isolation and security of one or more domains. For example, one or more domains may include secure execution and storage environments isolated from other domains. For a platform of a device that has established one or more domains, such as
这里公开的系统及其各种方法和装置可以在多种计算和通信上下文中实现。相应地,对于系统中的设备、例如图1中的例示设备100、110和120来说,这些设备可以采用各种各样的形式。作为示例而不是限制,系统中的设备可以包括无线发射/接收单元(WTRU)、用户设备(UE)、移动站、固定或移动用户单元、寻呼机、蜂窝电话、个人数字助理(PDA)、计算机、机器对机器(M2M)设备、SIM卡、通用集成电路卡(UICC)、智能卡、地理跟踪设备、传感器网络节点、测量设备(例如水测量计、气测量计或电测量计),或是其他任何能在无线或有线环境中工作的计算或通信设备。下列附图和描述提供了在无线发射/接收单元(WTRU)中提供了本公开的系统和方法的多个附加示例实施方式。但是应该理解,这些实施方式只是示例性的,这里公开的系统和方法并不局限于这些实施方式。与此相反,如上所述,这里公开的系统和方法可以在多种多样的计算和通信环境中使用。The systems disclosed herein and their various methods and apparatus can be implemented in a variety of computing and communication contexts. Accordingly, for devices in a system, such as the
图2是示出了可以实施这里公开的系统和方法的WTRU的一个实施方式的图示。如图所示,WTRU可以包括移动设备,例如UE 200。UE200可以包括移动设备(ME)210和可信硬件预订模块(THSM)220。此外,THSM220还可以包括THSM设备制造商(DM)域221、THSM设备所有者(DO)域222、THSM设备用户(DU或U)域223、系统级域管理器(SDM)230、域间策略管理器240以及一个或多个远端所有者(RO)域,例如RO域A224、RO域B 225以及RO域C 226。此外,UE 200可以包括未示出的下列组件:处理器、接收机、发射机和天线。这里描述的示例实施方式可以参考结合图2描述的组件。Figure 2 is a diagram illustrating one embodiment of a WTRU that may implement the systems and methods disclosed herein. As shown, a WTRU may include a mobile device, such as
THSM可以是基于硬件的模块,它提供了可信的预订管理功能,这其中包括通常由SIM功能、USIM功能、ISIM功能以及接入网络预订执行的功能。THSM可以是受硬件保护的模块。它可以包括专门被设计具有相关安全功能的硬件。它能在内部支持多个隔离的域。域可以由称为远端所有者(RO)的特有所有者要求或拥有。RO要求的域可以充当相应RO的代理。The THSM may be a hardware-based module that provides trusted subscription management functions, including functions normally performed by SIM functions, USIM functions, ISIM functions, and access network subscriptions. THSM can be a hardware protected module. It can include hardware specifically designed with relevant security functions. It can internally support multiple isolated domains. Domains can be claimed or owned by a specific owner called a Remote Owner (RO). A domain required by an RO may act as a proxy for the corresponding RO.
一个或多个域可以执行预订管理功能,例如可信用户标识管理(TSIM)。由于在单个THSM上可能存在多个具有TSIM功能的域,因此,THSM可以为多个RO的预订管理提供支持。对于具有TSIM功能的域来说,其某些管理方面可以由称为系统级域管理器(SDM)的单个管理功能执行。其他方面则可以在单个域的内部或是单个域上单独管理。One or more domains may perform subscription management functions, such as Trusted Subscriber Identity Management (TSIM). Since multiple domains with TSIM functions may exist on a single THSM, the THSM can provide support for subscription management of multiple ROs. For TSIM-capable domains, certain management aspects may be performed by a single management function called the system-level domain manager (SDM). Other aspects can be managed separately within or on a single domain.
虽然在这里是依照通用移动电信系统(UMTS)环境来描述的,但是本领域技术人员可以想到,在不超出本申请的范围的情况下,这里描述的方法和设备同样适用于其他环境。TSIM可以是“预订应用”的典型示例。举个例子,如果TSIM是在工作于3G UMTS网络中的WTRU上实施的,那么作为其功能的一部分,该TSIM可以包括所有预订相关功能,这其中包括UMTS验证和密钥协商(AKA)功能。TSIM可以不绑定于特定硬件,例如UICC。这与只能在UICC上存在的USIM形成了对比。取而代之的是,TSIM可以在这里描述的可信硬件预订模块(THSM)上实施。本领域技术人员还应该想到,在不超出本申请范围的情况下,这里描述的THSM的功能也可被引入UICC或类似的智能卡,例如符合欧洲电信标准协会(ETSI)需求的UICC或是符合全球平台规范的智能卡。Although described here in accordance with the Universal Mobile Telecommunications System (UMTS) environment, those skilled in the art can imagine that the methods and devices described here are equally applicable to other environments without departing from the scope of the present application. TSIM may be a typical example of a "subscription application". As an example, if a TSIM is implemented on a WTRU operating in a 3G UMTS network, then as part of its functionality, the TSIM may include all subscription-related functions, including UMTS Authentication and Key Agreement (AKA) functions. TSIM may not be bound to specific hardware, such as UICC. This is in contrast to the USIM which can only exist on the UICC. Instead, TSIM can be implemented on a Trusted Hardware Subscription Module (THSM) as described here. It should also be appreciated by those skilled in the art that without exceeding the scope of this application, the functions of the THSM described here can also be introduced into a UICC or similar smart card, such as a UICC that meets the requirements of the European Telecommunications Standards Institute (ETSI) or a global smart card. Platform specification for smart cards.
WTRU可以包括THSM和移动设备(ME)。ME可以包括调制解调器、无线电设备、电源以及通常在WTRU中发现的各种其他特征。THSM可以包括基于硬件的单独模块。THSM既可以嵌入WTRU,也可以是独立的。即使被嵌入WTRU,THSM也可以在逻辑上与ME分离。THSM可以包括一个或多个域,其中每个域均由特定的域所有者拥有,并且是为了该所有者而被操作的,由此提供了安全可信的服务和应用。由此,举例来说,DM的域可以表示为TDDM,DO的域可以表示为TDDO。THSM中的域可以执行那些可能不安全或不便于在ME中执行的安全敏感的功能和应用。A WTRU may include a THSM and a Mobile Equipment (ME). The ME may include modems, radios, power supplies, and various other features typically found in a WTRU. THSM can consist of separate hardware-based modules. The THSM can either be embedded in the WTRU or stand alone. Even if embedded in the WTRU, the THSM can be logically separated from the ME. A THSM may include one or more domains, each of which is owned by and operated for a specific domain owner, thereby providing secure and trusted services and applications. Thus, for example, the domain of DM may be denoted as TDDM , and the domain of DO may be denoted as TDDO . Domains in the THSM may perform security-sensitive functions and applications that may not be secure or convenient to perform in the ME.
某些域可以由一个或多个服务供应商拥有和管理。例如:移动网络运营商(MNO);其他通信网络运营商,例如无线局域网(WLAN)供应商或WiMax供应商;应用服务供应商,例如移动支付、移动票务、数字权利管理(DRM)、移动TV或是基于位置的服务的服务供应商;或是IP多媒体核心网络子系统(IMS)服务供应商。预订管理可以由服务供应商拥有的域提供支持。为了简单起见,在下文中可以将THSM域上实施的预订管理功能表示为TSIM功能。为TSIM功能提供的支持有可能随着域而改变。例如,所支持的TSIM功能可以包括类似于移动终端上的UICC上的USIM和ISIM功能提供的那些功能。与UICC相似,THSM可以提供除了TSIM所提供的之外的其他功能、应用和数据。Some domains can be owned and managed by one or more service providers. Examples: Mobile Network Operators (MNOs); other communication network operators, such as wireless local area network (WLAN) providers or WiMax providers; application service providers, such as mobile payment, mobile ticketing, digital rights management (DRM), mobile TV Either a service provider of location-based services; or an IP multimedia core network subsystem (IMS) service provider. Subscription management may be supported by a domain owned by the service provider. For simplicity, the subscription management functions implemented on the THSM domain may be denoted as TSIM functions in the following. The support provided for TSIM functionality may vary by domain. For example, the supported TSIM functions may include functions similar to those provided by the USIM and ISIM functions on the UICC on the mobile terminal. Similar to UICC, THSM can provide other functions, applications and data besides that provided by TSIM.
TSIM可以是软件单元或虚拟应用。在一开始,TSIM有可能没有与特定网络运营商或公共陆地移动网络(PLMN)相关联的证书。该TSIM可以参考UMTS蜂窝接入网络的预订证书/应用管理。例如,TSIM可以包括对于诸如UMTS验证密钥之类的强秘密(Ki)的管理。在M2M上下文中,TSIM还可以包括M2M连接标识管理(MCIM)。A TSIM can be a software unit or a virtual application. In the beginning, a TSIM may not have a certificate associated with a particular network operator or public land mobile network (PLMN). The TSIM may refer to the subscription certificate/application management of the UMTS cellular access network. For example, TSIM may include management of strong secrets (Ki) such as UMTS authentication keys. In the context of M2M, TSIM may also include M2M Connection Identity Management (MCIM).
THSM可以包括核心可信根(RoT)测量(CRTM)单元,该单元与可以在具有可信平台模块(TPM)或移动可信模块(MTM)的计算设备中发现的测量可信根(RTM)相似。THSM的CRTM可以测量THSM根代码的完整性,其中举例来说,所述测量是在THSM引导时间进行的。该完整性度量可以通过扩展操作来计算,例如通过对THSM引导码、BIOS以及可选地对THSM的制造商特性应用加密摘要(digest)值来计算,其中所述制造商特性可以是版本号、软件配置或发行编号。举个例子,完整性度量可以用某一版的安全散列算法(SHA)散列算法计算,例如SHA-X。THSM may include a Core Root of Trust (RoT) for Measurement (CRTM) unit that is integrated with a Root of Trust for Measurement (RTM) that may be found in a computing device with a Trusted Platform Module (TPM) or Mobile Trusted Module (MTM) resemblance. The THSM's CRTM can measure the integrity of the THSM root code, for example, at THSM boot time. This integrity metric may be computed by an extended operation, such as by applying a cryptographic digest value to the THSM boot code, the BIOS, and optionally to the THSM's manufacturer characteristics, which may be a version number, Software configuration or release number. For example, the integrity metric may be computed using a version of the Secure Hash Algorithm (SHA) hash algorithm, such as SHA-X.
THSM可以包括核心RoT(CRTS)存储单元,该单元与在TPM或MTM中发现的用于存储的可信根(RTS)相似,并且被配置成在受保护的存储器中存储完整性度量。THSM还可以包括核心RoT报告(CRTR)单元,该单元与在TPM或MTM中发现的可信根(RTR)报告相似,并且被配置成向外部询问者报告THSM的完整性量度。The THSM may include a Core RoT (CRTS) storage unit similar to the Root of Trust (RTS) for storage found in a TPM or MTM and configured to store integrity metrics in protected memory. The THSM may also include a Core RoT Reporting (CRTR) unit, similar to the Root of Trust (RTR) reporting found in a TPM or MTM, and configured to report the THSM's integrity metrics to external interrogators.
因此,THSM在可信量度、存储和报告方面可以有效提供类似于TPM或MTM的能力。THSM还可以包括实现多个可信的利益相关者(skateholder)工具(engine)的能力。更进一步,THSM可以被配置成实现相应的多利益相关者可信子系统。由此,THSM可以类似于TCG移动电话工作组(MPWG)规范定义的可信移动电话。Thus, THSM can effectively provide capabilities similar to TPM or MTM in terms of trusted measurement, storage and reporting. THSM may also include the ability to implement multiple trusted stakeholder engines. Going a step further, THSM can be configured to implement a corresponding multi-stakeholder trusted subsystem. Thus, a THSM can be similar to a trusted mobile phone as defined by the TCG Mobile Phone Working Group (MPWG) specification.
THSM可以被配置成构建多个内部的“利益相关者域”,例如,可以使用这里描述的核心RoT能力来进行构建。利益相关者可以是THSM设备制造商(DM)、THSM设备所有者(DO)或THSM设备用户(DU)。DU既可以等同于DO,也可以不同于DO。每个THSM都可以具有一个以上的DU。利益相关者还可以是由DO特定出租或拥有的域的不同远端所有者(RO)。例如,诸如MNO、IMS服务供应商、非3GPP接入网络运营商或增值应用服务供应商之类的第三代合作伙伴项目(3GPP)PLMN运营商都可以是利益相关者。THSM can be configured to build multiple internal "stakeholder domains", for example, using the core RoT capabilities described here. Stakeholders can be THSM Device Manufacturers (DM), THSM Device Owners (DO) or THSM Device Users (DU). DU can be equal to or different from DO. Each THSM can have more than one DU. Stakeholders can also be different remote owners (ROs) of domains specifically leased or owned by DOs. For example, Third Generation Partnership Project (3GPP) PLMN operators such as MNOs, IMS service providers, non-3GPP access network operators or value-added application service providers can all be stakeholders.
某些域可以是强制性的,在这种情况下,它们可以在制造THSM的时候被预先配置。例如,DM域可以是强制性的,并且其在引导时间可以是依照预先配置的文件而被构建或加载的。DO域也可以是强制性的,并且它可以被构建成预先提供的配置。可替换地,域也可以依照下载的配置文件来构建。Certain fields may be mandatory, in which case they may be pre-configured when the THSM is manufactured. For example, a DM domain may be mandatory, and it may be built or loaded at boot time according to a pre-configured file. A DO field can also be mandatory, and it can be built into a pre-provided configuration. Alternatively, domains can also be constructed from downloaded configuration files.
在被域的所有者“声明(claim)”和“拥有”之前,除了DM域之外的域有可能经历远端获取所有权(RTO)处理。在特定的域经过RTO处理之前,用于非特定所有者的“原始”域是有可能存在的。在这种情况下,对于所述域是没有被要求特定的所有权的。Domains other than DM domains may undergo a remote take ownership (RTO) process before being "claimed" and "owned" by the domain's owner. It is possible for "raw" domains for non-specific owners to exist before specific domains are processed by RTO. In this case, no specific ownership is required for the domain.
THSM上的域可以经由THSM-ME接口与ME通信和交换信息。例如,域可以在引导或RTO处理期间与ME通信。对经由THSM-ME接口交换的数据来说,它们有可能需要保护。Domains on the THSM can communicate and exchange information with the ME via the THSM-ME interface. For example, the domain may communicate with the ME during bootstrap or RTO processing. For data exchanged via the THSM-ME interface, they may require protection.
对经由THSM-ME接口的进行所有通信来说,这些通信的完整性都是需要保护的。例如,完整性保护可以使用密钥,比如预先提供的临时密钥或是通过使用验证密钥交换机制交换的密钥。这些密钥既可以是对称的,例如Ktemp_1,也可以是非对称的,例如THSM为了完整性而使用的公钥或私钥的Kpub/priv_THSM_temp_I,或是ME为了完整性而使用的公钥或私钥的Kpub/priv_ME_temp_I。临时密钥可以用于保护接口。例如,临时密钥可以与有效周期关联,或者可以被使用一次或预定次数。For all communications via the THSM-ME interface, the integrity of these communications needs to be protected. For example, integrity protection can use keys, such as ephemeral keys provisioned in advance or keys exchanged by using an authenticated key exchange mechanism. These keys can be either symmetric, such as Ktemp_1, or asymmetric, such as Kpub/priv_THSM_temp_I for public or private keys used by THSM for integrity, or public or private keys used by ME for integrity Kpub/priv_ME_temp_I. Ephemeral keys can be used to secure interfaces. For example, a temporary key may be associated with a validity period, or may be used once or a predetermined number of times.
对于经由THSM-ME接口进行的通信来说,其保密性同样可以用加密装置提供。可以使用预先提供的一个或多个临时密钥,并且这些密钥是用验证密钥交换机制交换的。加密密钥既可以是对称的,例如用于加密的Ktemp_C,也可以是非对称的,例如THSM为了加密而使用的公钥或私钥的Kpub/priv_THSM_temp_C,以及ME为了加密而使用的公钥或私钥的Kpub/priv_ME_temp_C。为了简单起见,这里描述的RTO方法和设备涉及的是使用预先提供的对称临时密钥。但是,本领域技术人员应该想到,在不超出本申请的范围的情况下,其他的密钥实施方式也是可以使用的。For communications via the THSM-ME interface, confidentiality may also be provided by encryption means. One or more ephemeral keys are provided in advance and are exchanged using an authenticated key exchange mechanism. Encryption keys can be either symmetric, such as Ktemp_C for encryption, or asymmetric, such as Kpub/priv_THSM_temp_C for public or private keys used by THSM for encryption, and public or private keys used by ME for encryption Kpub/priv_ME_temp_C for the key. For simplicity, the RTO methods and apparatus described herein involve the use of pre-provisioned symmetric ephemeral keys. However, those skilled in the art should appreciate that, without going beyond the scope of the present application, other key implementation manners can also be used.
对于在THSM-ME与RO之间明文传递的消息来说,可以提供防护来对抗针对这些消息的重放攻击。经由THSM-ME接口发送的每个消息都有可能拥有一个临时使用的保鲜质量。为了简单起见,这里描述的RTO协议可以包括为经由ME-THSM接口交换的所有消息实施的防重放保护;但是本领域技术人员应该想到,在不超出本申请的范围的情况下,其他接口保护配置也是可以使用的。For messages transmitted in clear text between THSM-ME and RO, protection can be provided against replay attacks against these messages. Every message sent via the THSM-ME interface may have a freshness quality for temporary use. For simplicity, the RTO protocol described here may include anti-replay protection implemented for all messages exchanged via the ME-THSM interface; Configuration is also available.
签名可以应用于散列。例如,散列可以通过SHA-X算法产生。可信的第三方可以使用证书(CertTSIM)来证实与THSM相关联的私钥-公钥对,例如KTSIM-Priv和KTSIM-Pub。可信第三方还可以使用证书(CertRO)来证实与网络关联的另一组密钥,例如KRO-Priv和KRO-Pub。这些证书可以保存在为被考虑的域分配的受保护存储器中。Signatures can be applied to hashes. For example, the hash can be generated by the SHA-X algorithm. A trusted third party can use a certificate (CertTSIM ) to certify the private key-public key pair associated with the THSM, egKTSIM-Priv andKTSIM-Pub . A certificate (CertRO ) can also be used by a trusted third party to certify another set of keys associated with the network, such as KRO-Priv and KRO-Pub . These certificates can be saved in a protected memory allocated for the domain under consideration.
公钥KRO-Pub可以供THSM平台、尤其是TSIM用以检验那些来自RO的签名、或者是用以加密那些发送给RO的消息。私钥KRO-Priv可以被网络用于签名目的,并且可以用于对TSIM使用相应公钥加密的消息进行解密。公钥-私钥对KTSIM-Pub和KTSIM-Priv可以包括类似的功能,只不过TSIM和RO的角色发生了交换。可替换地,在RO和TSIM上可以具有用于加密和签名的独立密钥对。The public key KRO-Pub can be used by the THSM platform, especially TSIM, to verify signatures from ROs, or to encrypt messages sent to ROs. The private key KRO-Priv can be used by the network for signing purposes and can be used to decrypt messages encrypted by the TSIM with the corresponding public key. The public key-private key pair KTSIM-Pub and KTSIM-Priv can include similar functions, except that the roles of TSIM and RO are exchanged. Alternatively, there may be separate key pairs for encryption and signing on the RO and TSIM.
密钥对KRO-Priv和KRO-Pub以及KTSIM-Priv和KTSIM-Pub可以取决于所有者、用户或是这二者选择的特定网络服务。诸如RO之类的每个服务供应商自身都具有为与该供应商关联的THSM上的每一个域认证的公钥-私钥对。所选择的服务可以确定使用哪一个密钥对集合。例如,公钥-私钥对集合可以由选定的服务供应商以及THSM上的相关联域确定。可以不会对所使用的密钥进行协商。公钥或私钥对可以由服务供应商确定,并且可以与THSM子系统或域紧密关联。The key pairs KRO-Priv and KRO-Pub and KTSIM-Priv and KTSIM-Pub may depend on a particular network service chosen by the owner, the user, or both. Each service provider, such as an RO, has its own public-private key pair certified for each domain on the THSM associated with that provider. The chosen service can determine which set of key pairs to use. For example, the set of public-private key pairs may be determined by the selected service provider and associated domain on the THSM. The keys used may not be negotiated. Public or private key pairs can be determined by the service provider and can be closely associated with THSM subsystems or domains.
THSM TDDO可以配置“系统级域管理器”(SDM)。该SDM可以保护性地存储包含“系统级域策略”(SDP)的预配置文件。SDM可以根据SDP来为THSM构建或加载RO的域。该SDM可以包含在DO的域的原始配置中。SDM可以使用预先配置的SDP来确定应该构建哪些其他域以及以怎样的顺序构建。THSM TDDO can configure a "System Domain Manager" (SDM). The SDM can securely store preconfigured files containing "system-wide domain policies" (SDPs). The SDM can build or load the domain of the RO for the THSM according to the SDP. This SDM can be included in the original configuration of the DO's domain. SDM can use pre-configured SDPs to determine which other domains should be built and in what order.
作为RO域的代表,在被RO域请求的时候,SDM可以预备并提供THSM平台环境概要(TPES)以及THSM平台完整性证明(TPIA)。TPES可以描述关于THSM的最新“环境”的概要信息。该信息可以包括在保密性和隔离性方面以相应域策略为条件或得到其许可的THSM上的域的数量和概要特征、以及可以用于通信并与发起请求的域共享功能或资源的THSM上的任何剩余资源。TPIA可以包括关于THSM的一个或多个域的完整性证明的集合。TPIA还可以包括用于支持所述域的平台的完整性证明。TPIA可以用于向外部检验者证明所关注的域以及支持这些域的平台的可信状态,其中该外部检验者可以是例如有兴趣为THSM上的原始域执行RTO处理的RO。RO或RO域(TDRO)可以向SDM请求TPIA。SDM可以依照SDP来满足或拒绝该请求。As a representative of RO domain, SDM can prepare and provide THSM Platform Environment Summary (TPES) and THSM Platform Integrity Attestation (TPIA) when requested by RO domain. TPES can describe the summary information about the latest "environment" of THSM. This information may include the number and profile characteristics of domains on THSMs that are conditional on or permitted by the corresponding domain policy in terms of confidentiality and isolation, and the THSMs on THSMs that may be used to communicate and share functions or resources with the requesting domain. any remaining resources. A TPIA may include a collection of integrity proofs for one or more domains of the THSM. The TPIA may also include a certificate of integrity for the platform supporting the domain. TPIA can be used to prove the trusted status of the domains of interest and the platforms supporting these domains to an external verifier, such as an RO interested in performing RTO processing for the original domain on the THSM. RO or RO domain (TDRO ) can request TPIA from SDM. The SDM may fulfill or deny the request in accordance with the SDP.
SDM还可以与THSM的实际存在的设备所有者交互,例如与服务人员交互,以便交互识别应该构建的其他域和构建顺序。此外,SDM还可以请求用户域与THSM的实际存在的用户交互,以便为待构建的域提供输入和构建顺序。在构建域的过程中,该信息可以用作输入。The SDM can also interact with the physically present device owner of the THSM, for example with service personnel, in order to interactively identify other domains that should be built and the order in which they should be built. In addition, the SDM can also request user domains to interact with actual users of the THSM in order to provide input and build sequences for domains to be built. This information can be used as input during the process of building the domain.
在为RO域执行RTO处理时,THSM可以被配置成在远端获取所有权协议结束之前实现四种不同的系统状态。THSM Pre_Boot系统状态可以指示:THSM尚未“通电”。THSM_TDDM_LOAD_COMPLETE系统状态可以指示:作为THSM通电后的第一个步骤,THSM上的DM域已被构建或加载。THSM_TDDO_LOAD_COMPLETE系统状态可以指示:将DO域(TDDO)构建或加载至最终可用配置。如果DO域本身从未经过RTO处理,那么该“最终可用配置”可以是“原始”配置,或者也可以是“后RTO”配置。DM域可以构建或加载DO域。在DO域经过至少一个RTO处理之前,DO域有可能处于“原始”状态,并且可以未被任何特定DO声明或拥有。该“原始”域可以包括“外层”(shell)。在首次构建或加载DO域时,“最终可用配置”(在这里和以后将被称为最终配置)来自预先配置的文件。可替换地,如果“最终配置”是从RO的域的RTO处理产生的,那么THSM上的特定域至少会有一次通过远端获取所有权协议,并且远端所有者可以得到TSSRO的所有权。而这可以指示在远端获取所有权的处理结束时在平台上已经配置的可信子系统。在达到该状态时或者在该状态之前,特定RO可以开始执行其他任务。When performing RTO processing for the RO domain, the THSM can be configured to achieve four different system states before the end of the remote take ownership agreement. The THSM Pre_Boot system status may indicate that the THSM has not been "powered up". The THSM_TDDM_LOAD_COMPLETE system status can indicate that the DM domain on the THSM has been built or loaded as the first step after the THSM is powered on. The THSM_TDDO_LOAD_COMPLETE system state may indicate that a DO domain (TDDO ) is being built or loaded into a final usable configuration. If the DO domain itself has never undergone RTO processing, then this "final usable configuration" can be the "raw" configuration, or it can also be the "post-RTO" configuration. DM domains can build or load DO domains. It is possible for a DO domain to be in a "pristine" state and may not be claimed or owned by any particular DO until it has been processed by at least one RTO. The "raw" domain may include a "shell". When building or loading a DO domain for the first time, the "final usable configuration" (here and hereafter will be referred to as final configuration) comes from a pre-configured file. Alternatively, if the "final configuration" results from the RTO process of the RO's domain, then the specific domain on the THSM will have at least one pass through the Remote Take Ownership agreement, and the remote owner can take ownership of the TSSRO . Instead, this may indicate trusted subsystems that have been configured on the platform at the end of the remote take ownership process. Upon reaching this state or before this state, a particular RO may start performing other tasks.
THSM_TDRO_LOAD_COMPLETE系统状态可以指示已经将RO域(TDRO)构建或加载至最终可用配置。如果RO域本身从未经过RTO处理,那么该“最终可用配置”可以是“原始”配置,或者也可以是“后RTO”配置。DM域可以构建或加载RO域。在DO域通过至少一个RTO处理之前,DO域有可能处于“原始”状态,并且可以未被任何特定DO声明或拥有。该“原始”域可以包括“外层”。在首次构建或加载RO的TO时,“最终可用配置”来自预先配置的文件。The THSM_TDRO_LOAD_COMPLETE system state may indicate that the RO domain (TDRO ) has been built or loaded to a final usable configuration. If the RO domain itself has never undergone RTO processing, then the "final available configuration" can be the "raw" configuration, or it can also be the "post-RTO" configuration. DM domains can build or load RO domains. It is possible for a DO Domain to be in a "pristine" state and may not be claimed or owned by any particular DO until it has been processed through at least one RTO. The "raw" domain may include "outer layers". When building for the first time or loading an RO's TO, the "finally available configuration" comes from a pre-configured file.
可替换地,如果最终配置是从RO TD的RTO处理产生的,那么THSM上的特定TD至少会有一次通过RTO协议,并且RTO将会获取TDRO的所有权。而这指示的是在RTO结束时已经在平台上配置的可信子系统。在达到该状态时,特定RO可以开始执行其他任务。如果RO的TD(TDRO)是MNO的TD,那么到这个阶段,MNO的TD可以提供在该TDRO上实现的最终可信用户标识管理(TSIM)功能。Alternatively, if the final configuration results from the RTO process of the RO TD, then the particular TD on the THSM will have at least one pass through the RTO agreement, and the RTO will take ownership of the TDRO . Instead, this indicates the trusted subsystems already configured on the platform at the end of the RTO. Upon reaching this state, the particular RO can start performing other tasks. If the TD of the RO (TDRO ) is the TD of the MNO, at this stage, the TD of the MNO can provide the ultimate trusted subscriber identity management (TSIM) function implemented on the TDRO .
可替换地,系统级域管理器(SDM)可以在DM的TD中实现而不是在DO的TD中实现。在向DM的TD提供了恰当的授权数据之后,DO可以使用DM的TD提供的SDM来执行创建、加载以及以其他方式管理THSM上的各种远端所有者TD的任务。在本示例中,THSM系统引导序列以及RTO处理序列的细节有可能不同于这里描述的内容,但是仍处于本申请的范围以内。本示例的引导和RTO处理以及关于DO或DO的TD可以如何使用DM的TD提供的SDM的描述有可能与这里描述的内容相似,例如,所述描述有可能涉及哪些类型的授权数据可被提供(以及如何可以提供该数据)。举个例子,作为智能卡嵌入的THSM可以包括卡管理器,其具有用于支持诸如全球平台这类标准规定的卡管理器功能的功能,其中所述卡管理器负责代表卡发行者来管理卡上的安全域。卡发行者可以类似于DM,并且卡管理器可以包括SDM的某些功能。因此,卡管理器可以类似于DM的域中保持的SDM。Alternatively, a System Domain Manager (SDM) may be implemented in the DM's TD instead of the DO's TD. After providing the DM's TD with the appropriate authorization data, the DO can use the SDM provided by the DM's TD to perform the tasks of creating, loading and otherwise managing various remote owner TDs on the THSM. In this example, the details of the THSM system boot sequence and RTO processing sequence may differ from what is described here, but remain within the scope of this application. The bootstrapping and RTO processing of this example and the description of how the DO or the TD of the DO may use the SDM provided by the DM's TD is likely to be similar to what is described here, e.g. the description may relate to what types of authorization data may be provided (and how that data can be provided). As an example, a THSM embedded as a smart card may include a card manager with functionality to support the card manager functionality specified by a standard such as the Global Platform, where the card manager is responsible for managing the card on behalf of the card issuer. security domain. A card issuer can be similar to a DM, and a card manager can include some functionality of an SDM. Therefore, the card manager can be similar to the SDM maintained in the DM's domain.
在第一实施方式中,ME可以被配置成提供安全引导能力,并且THSM可以被配置成提供全部MTM能力。在通电时,ME可以执行安全引导。例如,ME可以执行一个非-TCG“安全”引导,其中举例来说,所述引导可以依据开放移动终端平台(OMTP)可信运行环境TR0规范进行。例如在引导时,THSM可以首先通过启动处理来构建THSM DM的域(TDDM),然后则构建“原始”THSM DO的域(TDDO)。如果DO和DU是独立的,那么THSM还可以构建THSM DU的域。In a first embodiment, the ME may be configured to provide secure boot capability and the THSM may be configured to provide full MTM capability. At power-up, the ME can perform a secure boot. For example, the ME may perform a non-TCG "secure" boot, which may be performed according to the Open Mobile Terminal Platform (OMTP) Trusted Runtime Environment TRO specification, for example. For example at boot time, the THSM may first go through the start-up process to build the THSM DM's domain (TDDM ), and then build the "raw" THSM DO's domain (TDDO ). If DO and DU are independent, then THSM can also construct the domain of THSM DU.
在一开始,THSM TDDM可以用在THSM中受到保护,并在引导时提供的预先配置的文件构建。THSM TDDO可以大部分使用预先配置的文件构建,但是也可以用RTO处理构建。THSM TDDO可以通过RTO协议。该协议可以采取与用于RO域(TDRO)的RTO协议相同的形式,或者它也可以是不同的协议。如果THSM TEDO没有通过RTO协议,则可以预先配置并且预先提供获取所有权需要的证书。THSM TEDO可以被DO拥有。DO既可以是实际的人类用户或所有者,也可以是诸如企业或是其信息技术(IT)部门之类的组织,还可以是远端网络运营商(NO)。In the beginning, THSM TDDM can be built with pre-configured files protected in THSM and provided at boot time. THSM TDDO can mostly be built using pre-configured files, but can also handle building with RTO. THSM TDDO can pass RTO agreement. This protocol can take the same form as the RTO protocol for the RO domain (TDRO ), or it can be a different protocol. If the THSM TEDO does not pass the RTO agreement, it can be pre-configured and pre-provided with the certificates required to obtain ownership. THSM TEDO can be owned by DO. A DO can be an actual human user or owner, an organization such as a business or its information technology (IT) department, or a remote network operator (NO).
THSM TDU可以使用在THSM TEDO中预先供应的预配置文件构建。依照THSM的DO的系统级域策略(SDP),THSM的RO域可以首先被构造成“原始”配置,THSM的RO域可以使用RO来通过RTO处理。DO的域的SDM可以依照SDP来管理RO域的RTO处理。如果THSM RO是MNO,并且由此RO域是MNO的域,那么该MNO的域同样可以通过定义了下列各项的协议:i)可以如何将MNO的域注册到MNO;ii)可以如何将预订证书(例如USIM或MCIM秘密密钥Ki和国际移动用户标识(IMSI)等等)从MNO的移动网络复制(roll-off)到THSM上的MNO域并且随后在那里提供该证书;以及iii)可以如何在下载预订证书的时候将处理或使用该证书的功能甚至提供预订管理功能的域从一个设备迁移到另一个设备。这些协议分别可以被称为i)注册协议;ii)证书复制协议;以及3)迁移协议。在完成了RTO之后,THSM的RO域可以向RO证实和报告其自身配置。THSM TDU can be built using pre-configuration files pre-provisioned in THSM TEDO . According to the system-level domain policy (SDP) of THSM's DO, THSM's RO domain can first be constructed into a "raw" configuration, and THSM's RO domain can use RO to process through RTO. The SDM of the DO's domain can manage the RTO process of the RO domain according to the SDP. If the THSM RO is an MNO, and thus the RO domain is the MNO's domain, then the MNO's domain can likewise pass through a protocol that defines: i) how the MNO's domain can be registered with the MNO; ii) how the subscription Credentials (e.g. USIM or MCIM secret key Ki and International Mobile Subscriber Identity (IMSI), etc.) are rolled-off from the MNO's mobile network to the MNO domain on the THSM and the credential is then provisioned there; and iii) may How to migrate the ability to process or use the certificate or even the domain that provides subscription management functionality from one device to another while downloading the subscription certificate. These agreements may be referred to as i) the registry agreement; ii) the certificate replication agreement; and 3) the migration agreement, respectively. After completing the RTO, the THSM's RO domain can confirm and report its own configuration to the RO.
在第一实施方式中,ME能够执行的唯一可信构建机制是执行通电时的安全引导处理,其中ME配置未必能被ME或THSM进一步证明。可替换地,ME可以执行自我完整性检查,并在其完成安全引导时产生一个完整值(IV)。ME可以使用空中下载(OTA)方法并且依照诸如UMTS安全模式特征之类的安全模式特征来安装软件,例如用于置信度和完整性保护的工具。作为选择,当使用RO并借助RTO处理来获取RO的域的所有权的时候,RO可以下载或者以其他方式引入并且随后声明其自身在其可接受的THSM条件方面的策略,以便允许完成RTO处理。RO可以被配置成在RO同意整个THSM的条件、THSM其他域的构建结构条件、或是所有这二者时为将其自身安装在THSM平台上的处理“把关”(gate-keep)。由此,作为RTO处理的一部分,RO可以与DO域的SDM交换一些信息,以便识别DO的状况或“域构建计划”,并且只在RO可接受这些状况的时候才允许结束RTO处理。RO域还具有权利并且可以被配置成通过执行功能来实施这些权利,以便在同意将完成了RTO处理的RO域初始构建于THSM之后,以允许使用THSM的状况或域构建计划中的任何变化来对所述RO域进行更新或者为其通告这些变化。特定于RO域的策略(DP)可以规定那些可能需要向RO域通告的变化的类型。In the first embodiment, the only trusted building mechanism that the ME can perform is to perform a secure boot process at power-up, where the ME configuration cannot necessarily be further proven by the ME or the THSM. Alternatively, the ME can perform a self-integrity check and generate an integrity value (IV) when it completes secure boot. The ME may install software using over-the-air (OTA) methods and in accordance with security mode features, such as UMTS security mode features, such as tools for confidence and integrity protection. Alternatively, when using an RO and taking ownership of the RO's domain via the RTO process, the RO may download or otherwise import and then declare its own policy on its acceptable THSM conditions to allow the RTO process to complete. The RO can be configured to "gate-keep" the process of installing itself on the THSM platform when the RO agrees to the conditions of the entire THSM, the building structure conditions of other domains of the THSM, or both. Thus, as part of the RTO process, the RO may exchange some information with the DO domain's SDM in order to identify the DO's status or "domain build plan" and only allow the RTO process to end if the RO accepts these conditions. RO domains also have rights and can be configured to enforce these rights by performing functions to allow the use of any changes in the status of the THSM or in the domain construction plan after agreeing to initially build the RO domain that has completed the RTO process on THSM. The RO domain is updated or notified of these changes. RO domain-specific policies (DP) may specify the types of changes that may need to be notified to the RO domain.
SDM可以为与预定RO关联的RO域发起RTO处理。这种处理可以在RO域处于“原始”的“未被要求”(claim)的状态的时候进行。例如,RO域可以由DO域和DO命名为“域X(TDx)”。所述域可以在一个尚未被要求的外层或是“原始”状况中创建。在这种情况下,SDM可以发起RTO处理,由此它会与代表域TDX的预定RO取得联系。一旦RO通过了用于该域的RTO处理,那么SDM可以不再为这个域发起另一个RTO处理。取而代之的是,RTO自身可以在这个域上发起另一种所有权获取处理。这种所有权获取处理可以不同于迄今为止规定的RTO处理,其不同之处在于前者可以由远端所有者远程发起,而不是由设备所用者/用户或是设备本身(有可能在SDM或DO域的协调下)在本地发起。即使在RO域已经通过了RTO处理并且由此被恰当的RO“要求”或“拥有”之后,DO也可以保持删除、销毁任何RO域或断开与任何RO域的连接的权力。但是,DO通常未必能够知道存储在RO域内部的秘密,或是在RO域内部执行的临时计算或功能。The SDM can initiate RTO processing for the RO domain associated with the intended RO. This processing can be performed when the RO domain is in the "original""claimed" state. For example, the RO domain can be named "Domain X (TDx )" by the DO domain and DO. The domain can be created in an outer or "raw" state that has not yet been requested. In this case, the SDM can initiate RTO processing whereby it will get in touch with the intended RO representing domain TDX. Once the RO passes the RTO process for this domain, the SDM may not initiate another RTO process for this domain. Instead, the RTO itself can initiate another ownership acquisition process on this domain. This ownership acquisition process can differ from the RTO process specified so far in that the former can be initiated remotely by the remote owner, rather than by the equipment owner/user or the equipment itself (possibly in the SDM or DO domain Coordinated) initiated locally. The DO may retain the power to delete, destroy or disconnect any RO Domain even after the RO Domain has passed the RTO process and is thus "required" or "owned" by the appropriate RO. However, DOs are generally not necessarily able to know secrets stored inside the RO domain, or temporary calculations or functions performed inside the RO domain.
在SDM发起用于原始RO域的RTO处理之前,它可以查找用于域构建处理的可用资源列表。该列表可以由DM域保持。此外,SDM还可以查找“期望域”列表。该期望域列表可以保持在DO域TDDO中。SDM还可以查找“期望域”列表。该期望域列表可以保持在DO域TDDO中。SDM还可以查阅系统域策略(SDP)以及可以用于来自DM域的查询的THSM和平台的已有域的当前状态,这其中包括可信状态。该信息可以用于确定用于特定RO域的期望RTO处理依据可用资源和策略是否可行、依据期望域列表是否是期望的、以及依据THSM已有域的状态是否被允许,其中所述状态可以是例如可信状态。Before the SDM initiates the RTO process for the original RO domain, it can look up a list of available resources for the domain build process. This list can be maintained by the DM domain. Additionally, SDM can also look up a list of "desired domains". This list of desired domains can be maintained in the DO field TDDO . SDM can also look up a list of "desired domains". This list of desired domains can be maintained in the DO field TDDO . The SDM can also consult the System Domain Policy (SDP) and the current state of the THSM and platform's existing domains, including trusted status, which can be used for queries from the DM domain. This information can be used to determine whether a desired RTO process for a particular RO domain is possible in terms of available resources and policies, desired in terms of a list of desired domains, and permitted in terms of the status of existing domains in THSM, which can be For example trusted status.
可替换地,远端所有者域(TDRO)可以自已启动和管理RTO处理。在RTO处理之前,TDRO有可能未被要求并处于“原始”状况。该“原始”RO域TDRO可以包括预先配置的功能,其中该功能允许其在启动时与它的预定RO取得联系,并且自主启动RTO处理。作为选择,RTO处理可以在TDRO向THSM的所有者或用户发出提示并且随后从THSM的所有者或用户那里得到了发起RTO处理的“点头表示”之后启动。在下文中可以将已被创建并且将要为(目标)远端所有者RO_target拥有但却尚未经由RTO处理而被拥有并仍旧处于“原始”状态的域TD称为TDRO_target*。Alternatively, the Remote Owner Domain (TDRO ) can initiate and manage the RTO process itself. It is possible that the TDRO was not claimed and was in "pristine" condition until the RTO was processed. This "raw" RO domain, TDRO, may include pre-configured functionality that allows it to contact its intended RO at startup and initiate the RTO process autonomously. Alternatively, the RTO process may be initiated after the TDRO issues a prompt to the owner or user of the THSM and subsequently receives a "nod" from the owner or user of the THSM to initiate the RTO process. A domain TD that has been created and is to be owned by the (target) remote owner RO_target but has not yet been owned via the RTO process and is still in the "raw" state may be referred to as TDRO_target * in the following.
在另一个可替换方案中,TDRO有可能通过了结合特定RO的至少一个RTO处理,并且当前可以被RO“要求”或“拥有”。对于DO或是其在THSM上的代理、例如域TDRO来说,其是否允许为同一RO域启动另一个RTO处理可以取决于RO的策略和/或SDM的策略。SDM可以检查RTO的目的,并且可以根据可允许的目的或是其策略结构内部的活动来确定是否允许继续这个新的RTO。经由远程信令,RO或是RO域(TDRO)可以为具有相同RO的域发起另一个RTO处理。这种处理可以当RO需要更新配置文件、安全策略或是可执行代码的时候在TDRO中进行。RO可以下载更新。更新可以通过非RTO、空中下载(OTA)更新处理来进行。但在某些情况中,RO或TDRO可以使用另一个RTO处理来更新一些文件或代码。In another alternative, a TDRO may have passed at least one RTO process associated with a particular RO, and may be currently "required" or "owned" by the RO. Whether a DO or its proxy on THSM, eg domain TDRO , is allowed to start another RTO process for the same RO domain may depend on the policy of the RO and/or the policy of the SDM. The SDM can check the purpose of the RTO and can determine whether to allow this new RTO to proceed based on the allowable purpose or activities within its policy structure. Via remote signaling, the RO or RO domain (TDRO ) can initiate another RTO process for a domain with the same RO. This processing can be performed in the TDRO when the RO needs to update configuration files, security policies, or executable code. RO can download updates. Updates may be performed through a non-RTO, over-the-air (OTA) update process. But in some cases, RO or TDRO can use another RTO process to update some files or code.
当“原始”TDRO发起自己的RTO处理时,它有可能需要依靠SDM来查找用于域构建的可用资源的列表,所述列表则可以由DM域保持。TDRO还可以依靠SDM来查找保持在DO域中的“期望域”列表、系统域策略(SDP)以及可用于来自DM域的查询的THSM的已有域的当前状态,这其中包括可信状态。该信息可以用于确定用于特定RO域的预期RTO处理依据可用资源和策略是否可行、依据期望域列表是否是期望的、以及依据THSM已有域的状态是否被允许。When the "raw" TDRO initiates its own RTO processing, it may need to rely on the SDM to find a list of available resources for domain building, which list may then be maintained by the DM domain. The TDRO can also rely on the SDM to look up the current state of existing domains, including trusted status, from the list of "desired domains" maintained in the DO domain, System Domain Policy (SDP), and THSM available for queries from the DM domain . This information can be used to determine whether the intended RTO processing for a particular RO domain is feasible in terms of available resources and policies, desired in terms of the list of expected domains, and allowed in terms of the status of existing domains in the THSM.
SDM策略可以在用于DO的所有权获取(TO)处理过程中被配置。该配置可以借助预先存在的配置结构而在本地进行,其中该结构是在引导处理过程中实施的。DO的TO还可以在远端进行;如这里规定的那样,该处理可以类似于将要与并非设备所有者域的域的所有权获取处理结合使用的RTO处理(除了对用于DO域的TO处理来说,用于阻止或允许RTO的SDM检查可以不被调用之外),这与用于非设备所有者的远端所有者的RTO处理的情况不同。SDP可以在DO的所有权获取处理期间建立,其中该处理既可以在本地执行(DO实际存在并与设备交互),也可以采用一种包含了与位于远端的设备所有者远程交互的方式执行。该列表还可以包括规定了不允许获取域所有权的远端所有者的附加项。SDM policies can be configured during the Ownership Takeover (TO) process for DOs. The configuration can be done locally with the aid of a pre-existing configuration structure implemented during the boot process. The DO's TO's can also be done remotely; as specified here, the process can be similar to the RTO's process to be used in conjunction with the ownership acquisition process for domains other than the device owner's domain (except for TO's for DO's. Say, SDM checks for blocking or allowing RTOs may not be invoked), which is different from the case of RTO processing for remote owners who are not device owners. The SDP can be established during the DO's ownership acquisition process, which can be performed either locally (where the DO physically exists and interacts with the device) or in a manner that includes remote interaction with a remotely located device owner. The list may also include additional entries specifying remote owners who are not allowed to take domain ownership.
在第二实施方式中,ME可以具有安全引导能力,并且可以依靠THSM来执行一些对其某些引导码执行“安全引导”检查。此外,ME还可以执行非TCG安全引导,例如OMTP TR0安全引导。THSM可用于检查ME的完整性,以便“使用”为THSM提供的物理保护。例如,ME可以向THSM发送原始数据,THSM则可以检查ME的完整性。WTRU可以实施一种在ME与THSM以及ME的“较值得信任的”部分之间提供安全信道的机制,其中所述部分至少被信任能够以安全方式向THSM发送代码或数据,并且安全地与THSM通信,例如经由安全信道,以使得THSM能为ME执行完整性检查。THSM还可以在其内部存储代表了ME的某些ME代码。这些代码可以在引导处理过程中载入ME。THSM还可以起到对ME的完整性进行检查的作用,或者起到存储和加载ME的某些代码的作用,这是因为在THSM自身与ME之间,由于THSM具有基于硬件的保护机制,因此该THSM可以是更为可信的环境。在第三实施方式中,THSM可以为ME代码执行安全引导或完整性检查中的某些处理。该处理能够为RO证实。ME可以包括单个可信实体;移动可信环境(MTE)。MTE可以是ME内部的逻辑独立的环境,并且其比ME的剩余部分更可信。MTE可以使用某些基于硬件的保护机制,例如基于硬件的可信根(RoT)。在加载了ME的基本代码之后,这时可以加载MTE。从可以向外部检验器提供信任证明、例如使用可信签名密钥的意义上讲,MTE可以是可信实体。虽然MTE是可信实体,但其未必拥有用于测量的核心可信根,其中该核心可信根是与实际TPM相关联的测量程序代码。至于ME,作为已通电设备,它提供了一个可供THSM操作的平台,在这里可以将ME称为ME平台。MTE可以被配置成收集ME平台的完整性证据,并且至少在使用MTE内部受到保护的签名密钥所提供的完整性保护下将证据转发至THSM内部的可信实体,例如后引导SDM。由于THSM实施了TCG TPM或是类似于MTM的完整性测量和检验功能,因此,THSM还可以实现TCH TPM或MTM能力,从而执行“扩展”操作,由此,当前软件的量度会与用于指示软件加载历史状态的平台配置寄存器(PCR)的当前值组合,从而计算新的PCR值。THSM还可以通过实施一种机制来将摘要值(该摘要值可以是软件组件完整性的原始测量值)或PCR值转换成另一个可用于向THSM证明ME平台的可信度的完整性数据。为了简单起见,在下文中可以将所收集的ME平台完整性数据表示为ME平台完整性数据(MPID)。THSM可能没有保持用于ME或MTE的域。THSM有可能可以从预先配置的文件或是通过与DM实时联系来获取经过认证的度量,并且它会对照该度量来检查计算得到的摘要。如果确定匹配,那么随后可以证实该ME。MTE还能够收集用于描述ME“环境”的数据,例如模型数量、期望执行哪种服务以及为谁执行服务。为了简单起见,在下文中可以将这种关于ME的环境描述表示成ME平台环境调查(MPES)。THSM DO的RO可以证明自己的域以及ME平台的完整性。该证明可以类似于M2M情况中的可信环境(TRE)的M2ME检验功能,并且在PCT专利申请WO2009/092115(PCT/US2009/031603)中规定了所述功能。ME可以自己或者在THSM请求的时候持续向THSM报告其变化的状态。In a second embodiment, the ME may have secure boot capability and may rely on the THSM to perform some "secure boot" checks for some of its boot code. In addition, ME can also perform non-TCG secure boot, such as OMTP TR0 secure boot. The THSM can be used to check the integrity of the ME in order to "use" the physical protection provided for the THSM. For example, ME can send raw data to THSM, and THSM can check the integrity of ME. The WTRU may implement a mechanism that provides a secure channel between the ME and the THSM and "more trustworthy" parts of the ME that are at least trusted to send code or data to the THSM in a secure manner, and securely communicate with the THSM Communication, eg via a secure channel, to enable the THSM to perform an integrity check for the ME. The THSM can also store inside it certain ME codes representing the ME. These codes can be loaded into the ME during the boot process. THSM can also play the role of checking the integrity of ME, or store and load certain codes of ME, because between THSM itself and ME, because THSM has a hardware-based protection mechanism, so The THSM can be a more trusted environment. In a third embodiment, THSM may perform some processing in secure boot or integrity check for ME code. This process can be confirmed by RO. The ME may comprise a single trusted entity; the Mobile Trusted Environment (MTE). The MTE may be a logically independent environment inside the ME, and it is more trusted than the rest of the ME. MTE can use some hardware-based protection mechanisms, such as hardware-based Root of Trust (RoT). After the basic code of the ME is loaded, the MTE can be loaded at this time. An MTE may be a trusted entity in the sense that it can provide proof of trust to an external verifier, eg using a trusted signing key. While the MTE is a trusted entity, it does not necessarily possess a core root of trust for measurements, where the core root of trust is the measurement program code associated with the actual TPM. As for the ME, as a powered device, it provides a platform on which the THSM can operate, and the ME can be referred to as the ME platform here. The MTE may be configured to collect integrity evidence of the ME platform and forward the evidence to a trusted entity inside the THSM, such as a post-boot SDM, at least under integrity protection provided using a protected signing key inside the MTE. Since THSM implements TCG TPM or MTM-like integrity measurement and verification functions, THSM can also implement TCH TPM or MTM capabilities to perform "extended" operations, whereby the current software's metrics will be compared with those used to indicate The software loads the combination of the current values of the platform configuration registers (PCRs) of the historical state to calculate new PCR values. The THSM can also implement a mechanism to convert a digest value (which may be a raw measure of software component integrity) or a PCR value into another integrity data that can be used to prove the trustworthiness of the ME platform to the THSM. For simplicity, the collected ME platform integrity data may be denoted as ME platform integrity data (MPID) hereinafter. THSM may not maintain domains for ME or MTE. It is possible for THSM to obtain an authenticated metric from a pre-configured file or by contacting the DM in real time, and it checks the computed digest against that metric. If a match is determined, then the ME can then be verified. MTE is also able to collect data describing the ME "environment", such as the number of models, what kind of service is expected to be performed, and for whom. For the sake of simplicity, this environment description about ME may be denoted as ME Platform Environment Survey (MPES) in the following. The RO of THSM DO can prove the integrity of its own domain and ME platform. This attestation may be similar to the M2ME verification function of the Trusted Environment (TRE) in the M2M case and is specified in PCT patent application WO2009/092115 (PCT/US2009/031603). The ME may continuously report its changed status to the THSM either by itself or at the request of the THSM.
在第四实施方式中,ME和THSM都可以被配置成执行完整的MTM功能。ME或是其域的可信度既可以由ME证实,也可以由这些域直接证实。ME的RO域可以持续或者依据请求来向RO报告其状态。THSM的RO域也可以具有类似的功能。由ME的RO域和THSM的RO域做出的报告可以同步,并且还可以相互绑定。此外,这些报告也可以使用协议流的公共会话来产生。In a fourth embodiment, both the ME and the THSM can be configured to perform full MTM functionality. The trustworthiness of the ME or its domains can be verified by the ME or directly by these domains. The ME's RO domain can report its status to the RO either continuously or on request. The RO domain of THSM can also have a similar function. The reports made by the ME's RO domain and the THSM's RO domain can be synchronized and can also be bound to each other. Additionally, these reports can also be generated using a common session of protocol streams.
在本实施方式中,ME可以被配置成执行这里描述的THSM的若干功能。ME可以包括其自身的一个或多个域,其中每一个都针对的是特定的所有者。这些域可以包括依照THSM的可信实体的属性。此类域可以包括设备制造商(DM)域和用户(U)域。这些域可以通过一种类似于THSM的方式而被预先配置。为了区分ME上的域与THSM上的域,在用于表示所述域自身的字母上可以加上字母ME作为下标。因此,用于DM的域可以表示为MEDM。THSM上的设备所有者(DO)域可以监视ME侧的域,以便确保与SDM中的系统级域策略(SDP)相一致。通过创建ME中的每一个域,可以通过与SDM通信来使THSM DO知道每一个新的域的配置。In this embodiment, the ME may be configured to perform several functions of the THSM described herein. The ME may include one or more domains of its own, each of which is aimed at a specific owner. These domains may include attributes of trusted entities according to THSM. Such domains may include a device manufacturer (DM) domain and a user (U) domain. These domains can be pre-configured in a manner similar to THSM. In order to distinguish the domain on the ME from the domain on the THSM, the letter ME may be added as a subscript to the letter used to represent the domain itself. Therefore, the domain used for DM can be denoted as MEDM. The Device Owner (DO) domain on the THSM can monitor the domain on the ME side to ensure compliance with the System Domain Policy (SDP) in the SDM. By creating each domain in the ME, THSM DO can be made aware of the configuration of each new domain by communicating with the SDM.
ME可以包括称为平台域管理器(MEPDM)的域管理器,该管理器可以采用类似于THSM中的SDM的方式工作。MEPDM可以驻留在MEDM中,并且在一开始可以具有DM定义的预先配置。这种初始配置在其目的和功能上有可能类似于THSM上的TDDM的初始预配置定义的配置。而MEDM的设置则可以被定时为在THSM中示例的TDDO之后发生。当SDM得知用于MEDM的设置完成时,它可以根据系统级限制来实施源于SDP或是由SDP反映的策略限制。SDM可以保持THSM上的多个远端所有者及其域的列表。如果要在ME上创建和管理属于列表中的一个所有者的域,那么SDM可以对在ME上创建和管理这些域的处理进行某种控制。The ME may include a domain manager called Platform Domain Manager (MEPDM ), which may work in a manner similar to the SDM in THSM. MEPDM can reside in MEDM and can have a DM defined pre-configuration at the beginning. This initial configuration may be similar in purpose and function to the configuration defined by the initial pre-configuration of TDDM on THSM. The setup of the MEDM can then be timed to occur after the TDDO illustrated in THSM. When the SDM knows that the setup for the MEDM is complete, it can enforce the policy constraints originating from or reflected by the SDP according to the system-level constraints. The SDM can maintain a list of multiple remote owners and their domains on the THSM. If domains belonging to one of the owners in the list are to be created and managed on the ME, then the SDM can have some control over the process of creating and managing these domains on the ME.
在本实施方式中,ME可以具有完整的MTM功能。由此,它可以包括用于测量的核心可信根(CRTM)、用于报告的核心可信根(CRTR)、以及用于存储的核心可信根(CRTS)。在THSM上,域预订功能可以由TSIM功能来管理。如果有两个域(例如THSM上的一个域和ME上的另一个域)是用于同一RO的,那么THSM上的域可以用于那些用于RO且需要很高等级的安全和/或信任的功能或服务,例如预订功能及其用于远端所有者的管理,而ME上的域则可以用于那些用于同一RO且仍旧需要一定等级的安全或信任的功能或服务,但是所述等级的安全或信任并未达到预计来自THSM上的域的功能和服务所需要的安全或信任等级。不从预先配置的文件构建的域可以通过远端所有权获取(RTO)处理来配置。用于ME和用于典型远端所有者(RO)的RTO可以与用于THSM的RTO相类似。In this embodiment, the ME may have a complete MTM function. Thus, it may include a Core Root of Trust for Measurement (CRTM), a Core Root of Trust for Reporting (CRTR), and a Core Root of Trust for Storage (CRTS). On THSM, the domain subscription function can be managed by the TSIM function. If two domains (e.g. one domain on THSM and another domain on ME) are used for the same RO, then the domain on THSM can be used for those that are used for RO and require a very high level of security and/or trust functions or services, such as subscription functions and their management for remote owners, while domains on the ME can be used for functions or services that are used for the same RO and still require a certain level of security or trust, but the The level of security or trust is not as high as expected for the functionality and services expected from the domain on the THSM. Domains that are not built from pre-configured files can be configured through a remote ownership takeover (RTO) process. The RTO for ME and for a typical Remote Owner (RO) may be similar to that for THSM.
ME上的域可以不是预定用于远端所有者的预订管理的。取而代之的是,它们有可能为了用户、所有者、远端所有者及其任何组合的利益而被预定用于执行计算和资源密集的任务。例如,这些域可以执行无法由THSM上的相对有限的资源实现的任务。与一旦创建就处于ME内部、直至被显式地删除不同,与虚拟化相似,ME上的域可以在引导甚至运行时的会话中创建,并且可以基于临时的会话而被用于其特定目的,从这个意义上讲,这些域还可以是更为“短暂”或“暂时”的。在请求和获取已被证实的资源分配调查以及其他远端所有者拥有的ME上的其他域或是THSM上的其他这样的域的分配目的的方面,ME上的域的远端所有者未必具有相同等级的权限。Domains on the ME may not be intended for remote owner's subscription management. Instead, they are potentially intended to perform computationally and resource-intensive tasks for the benefit of the user, owner, remote owner, or any combination thereof. For example, these domains can perform tasks that cannot be achieved by the relatively limited resources on THSM. Unlike virtualization, domains on the ME can be created in sessions at boot or even run time, and can be used for their specific purposes on a temporary session basis, unlike virtualization, which once created stays inside the ME until explicitly deleted, In this sense, these domains can also be more "ephemeral" or "temporary". The remote owner of the domain on the ME does not necessarily have the authority to request and obtain proven resource allocation investigations and allocation purposes for other domains on the ME or other such domains on the THSM owned by other remote owners. same level of authority.
如果能为移动可信平台的设备所有者提供一种方法来购买没有被特定PLMN预先分配和初始化的“空白”(blank)WTRU,从而允许在没有限制的情况下任意选择移动网络运营商,那么将会是非常有利的,其中所述特定PLMN也被称为MNO远端所有者。该方法可以包括对诸如UMTS设备(UE)之类的WTRU执行所有权获取处理,例如RTO处理,其中远端所有者是PLMN运营商或是意欲与之预订应用的其他类似运营商,以及设置、定制和结束诸如RO域之类的子系统,其中所述RO域是处于THSM内部并且可以被正确RO要求的域。If a method could be provided for device owners of mobile trusted platforms to purchase "blank" WTRUs that were not pre-allocated and initialized with a specific PLMN, allowing arbitrary choice of mobile network operator without restrictions, then It would be very advantageous where said specific PLMN is also referred to as the MNO remote owner. The method may include performing an ownership acquisition process, such as an RTO process, on a WTRU such as a UMTS equipment (UE), where the remote owner is the PLMN operator or other similar operator with which the application is intended to be subscribed, and setting, customizing and end subsystems such as RO domains, which are domains that are internal to the THSM and can be required by the correct RO.
如前所述,可信硬件预订标识(THSM)既可以作为防篡改硬件组件模块来构建,也可以在其内部包含防篡改组件模块,其中该模块包含了用于PLMN运营商的预订应用以及其他增值服务的功能,例如用于IMS预订标识模块(ISIM)的功能。THSM既可以是能够从WTRU上移除的,也可以是不能从WTRU上移除的。UICC的增强型版本或是兼容全球平台标准的智能卡可以是这种THSM的一个实施方式。As mentioned earlier, a Trusted Hardware Subscription Sign (THSM) can either be built as a tamper-resistant hardware component module or contain a tamper-resistant component module inside it, where the module contains the booking application for the PLMN operator and other Functionality for value-added services, eg for IMS Subscription Identity Module (ISIM). The THSM may or may not be removable from the WTRU. An enhanced version of the UICC or a smart card compatible with the Global Platform standard could be an implementation of such a THSM.
所有权获取操作在运营商或PLMN与WTRU之间建立了基本的“信任”关系。该过程可以包括安装和示例“空白的可信”TSIM,其中该TSIM包含了具有普通“可信”软件配置的“原始”工具。如果该平台能够提供其“原始”配置的和安全属性,那么该子系统可以由远端所有者认证。图3和3A示出了该处理的一个示例,该示例特别关联于这里描述的第一实施方式。远端所有者可以是为用户提供被请求的服务、设置恰当的安全策略以及实施与服务相符的设备配置的移动网络。该协议的所有者可以处于本地。The ownership acquisition operation establishes a basic "trust" relationship between the operator or PLMN and the WTRU. The process may include installing and instantiating a "blank trusted" TSIM that contains a "raw" tool with a common "trusted" software configuration. If the platform can provide its "raw" configuration and security properties, then the subsystem can be authenticated by the remote owner. Figures 3 and 3A show an example of this process, which is particularly relevant to the first embodiment described here. The remote owner may be the mobile network that provides the requested service to the user, sets appropriate security policies, and enforces device configuration consistent with the service. The owner of the protocol can be local.
图3和3A示出了例示的引导和RTO处理。ME可以具有引导前状态304。在306,设备可以通电。在308,ME可以执行“安全”引导(非TCG)。ME可以达到基本码已引导状态310。更进一步,在312,ME可以向THSM发送“基本引导完成”信号。在314,ME可以依照基本配置来加载附加软件。在316,ME引导可以完成(加载了应用)。在318,ME可以向THSM发送引导完成消息。Figures 3 and 3A illustrate exemplary bootstrap and RTO processes. The ME may have a
THSM可以处于引导前状态330。在334,THSM可以加载TEDM。该THSM可以在配置过程中接收预先配置的文件,例如,336示出了使用预先配置的文件的处理。在338,THSM可以达到“TDDM已构建”状态(基本配置状态)。如340所示,THSM可以接收可用于RO域的资源上的DM规范。THSM may be in a
在342,TDDM可以构建TDDO(TDDO可以包括SDM)。在344,举例来说,THSM可以使用已保存的配置文件,例如从而构建域(有可能因为先前的RTO而可供使用)。在346,THSM可以达到TDDO已构建状态(包括SDM),其中TDDO既有可能没有被DO要求,也有可能已被DO要求。在350,TDDO可以构建TDU。在352,从DO可以接收输入。在354,THSM可以达到TDU已构建状态,其中TDU既有可能未被要求,也有可能已被要求。在356,THSM可以接收来自DO或DU的输入(例如通过文件或交互来规定DO可能希望构建哪些域)。在358,TDDO可以构建RO域TDRO。At 342, the TDDM may construct the TDDO (the TDDO may include the SDM). At 344, for example, the THSM may use the saved configuration file, eg, to build the domain (possibly available due to a previous RTO). At 346, the THSM may reach a TDDO constructed state (including SDM), where a TDDO may or may not be required by a DO. At 350, TDDO can construct TDU . At 352, input can be received from the DO. At 354, the THSM may reach a TDU constructed state, where a TDU may or may not have been requested. At 356, the THSM may receive input from the DO or DU (eg, via a file or interaction specifying which domains the DO may wish to construct). At 358, TDDO may construct the RO domain TDRO .
现在参考图3A,在362,THSM可以达到已经构建了TDRO的状态,其中TDRO既有可能未被RO要求,也有可能已被RO要求。在366,SDM可以请求TDRO执行RTO,或者TDRO可以通知(或请求)SDM该TDRO将要执行RTO。在370,TDRO可以启动RTO处理。在380,这时存在典型的远端所有者(RO1...ROn)。在384,这时可以交换信息。例如,作为结合远端所有者的RTO处理的一部分,所交换的信息可以包括下列各项中的一项或多项:证明、配置、策略、目的、证书(在这里被称为CERT)、密钥和涉及TDRO的SP。作为选择,RO可以在RTO处理过程中找出DO的“环境”或“域规划”,并且可以在其同意所述环境/规划的情况下允许该处理继续进行。Referring now to FIG. 3A, at 362, the THSM may reach a state where a TDRO has been constructed, where the TDRO may or may not have been claimed by the RO. At 366, the SDM may request the TDRO to perform the RTO, or the TDRO may notify (or request) the SDM that the TDRO will perform the RTO. At 370, the TDRO can initiate RTO processing. At 380, there are now typical remote owners (RO1 . . . ROn ). At 384, information can be exchanged at this point. For example, as part of the RTO process in conjunction with the remote owner, the information exchanged may include one or more of the following: attestation, configuration, policy, purpose, certificate (herein referred to as CERT), encryption Key and SP related to TDRO . Alternatively, the RO may find out the DO's "environment" or "domain plan" during the RTO process and may allow the process to proceed if it agrees with said environment/plan.
在372,THSM可以获取/更新不同的域的系统配置,保存信息,以及将信息存入THSM中的非易失受保护存储器。在374,THSM可以达到具有后RTO TDRO的状态。At 372, the THSM can retrieve/update the system configuration of the different domains, save the information, and store the information into non-volatile protected memory in the THSM. At 374, the THSM may reach a state with post-RTO TDRO .
参考第一实施方式,由DO的RTO形成的策略域可以包括影响了后续RTO处理的域配置的规定。该RTO协议有可能适合非DO RO。特定于域的策略(DP)可以在RTO事务处理期间被下载。用于DO的DP可以不同于用于RO的DP,并且其不同之处在于这种DP(DPDO)可以包括预定用于构建和保持THSM可以被远程拥有的其他域的系统级域策略(SDP)。在RTO处理之前或者在RTO处理过程中,域的RO可以从可信的第三方(TTP)那里获取参考完整性度量(RIMRO),其中所述参考完整性度量针对的是支持所有THSM域中的所有域或是其子集的硬件或软件的配置和当前完整性状态,而所述域的RO则可以被表述成:Referring to the first embodiment, the policy domain formed by the DO's RTO may include provisions affecting domain configuration for subsequent RTO processing. This RTO agreement is potentially suitable for non-DO ROs. Domain-specific policies (DPs) can be downloaded during RTO transactions. The DP for the DO may be different from the DP for the RO, and it differs in that such a DP (DPDO ) may include system-level domain policies (SDP ). Before RTO processing or during RTO processing, the RO of the domain can obtain a referential integrity metric (RIMRO ) from a trusted third party (TTP), wherein the referential integrity metric is aimed at supporting all THSM domain The hardware or software configuration and current integrity status of all domains or a subset of them, and the RO of the domain can be expressed as:
TTP→RO:RIMRO={支持THSM的域的HW/SW的配置和状态,和/或摘要值} 等式1TTP → RO: RIMRO = {Configuration and status of HW/SW of THSM capable domain, and/or summary value} Equation 1
在一些情况中,TTP有可能能够将RIMRO提供给THSM的HW和SW的一个子集,这其中包含了RO有兴趣进行检验的域。提供RIMRO有可能需要一个以上的TTP,其中RO收集所述RIMRO并且形成一个集合参考度量。在THSM的SDM的帮助下,经历RTO处理的THSM的目标域(TDRO_target)可以被配置成为其RO提供已签名THSM平台完整性证明(TPIA)。该TPIA可以是THSM上的域的单个完整性证明和/或目标域的RO在允许结束结合了TDRO_target的RTO处理之前有兴趣进行检验的设备平台完整性证明的级联。在THSM的SDM的帮助下,THSM的目标域(TDRO_target)能够为其RO提供已签名TGSM平台环境概要(TPES)。TPES可以包括THSM环境的概要,这其中包括THSM上的其他域的数量和特征以及可用于TERO_target的任何剩余可用资源,例如THSM平台的资源,并且这些资源可以表述为:In some cases, the TTP may be able to provide the RIMRO to a subset of the THSM's HW and SW, which contains domains that the RO is interested in examining. More than one TTP may be required to provide the RIMROs that theROs collect and form an aggregate reference metric. With the help of THSM's SDM, a THSM's target domain (TDRO_target ) undergoing RTO processing can be configured to provide a signed THSM Platform Integrity Attestation (TPIA) for its RO. This TPIA can be a single integrity attestation for the domain on the THSM and/or a concatenation of device platform integrity attestations that the RO of the target domain is interested in checking before allowing the RTO process in conjunction with the TDRO_target to end. With the help of THSM's SDM, THSM's target domain (TDRO_target ) can provide its RO with a signed TGSM Platform Environment Summary (TPES). The TPES may include a summary of the THSM environment, which includes the number and characteristics of other domains on the THSM and any remaining available resources available for the TERO_target , such as those of the THSM platform, and these resources may be expressed as:
TDRO_target→RO:[TPIA]signed||[TPES]signed 等式2TDRO_target → RO: [TPIA]signed || [TPES]signed Equation 2
可替换地,与向RO报告可能包含了所有域上的所有证明的TPIA不同,SDM可以提供关于其已经检查过所有这些域的完整性并且将这些域视为可信的已签名声明,其中该声明可以是半自主声明。这个证明可以包括关于域集合的完整性的本地检验。本地检验器可以包括用于THSM上的每一个域的有效配置列表。该SDM可以为本地检验器提供可以通过AIK签名的TPIA。对于单个完整性证明的检验有可能需要它们与配置列表中相应的本地存储的项匹配。SDM可以执行构造TPIA所需要的完整性测量、登录以及PCR扩展,并且证明每一个域的可信度。这些测量及其扩展可以供检验器用于确定已经为所需要的域进行了证明。Alternatively, instead of reporting to the RO a TPIA which may contain all proofs on all domains, the SDM may provide a signed statement that it has checked the integrity of all these domains and considers them trustworthy, where the A declaration can be a semi-autonomous declaration. This proof may include a local check on the integrity of the set of domains. The local verifier may contain a list of valid configurations for each domain on the THSM. The SDM can provide the local verifier with a TPIA that can be signed by the AIK. Verification of individual integrity proofs may require that they match corresponding locally stored entries in the configuration list. The SDM can perform the integrity measurements, logging, and PCR extensions required to construct the TPIA, and attest to the trustworthiness of each domain. These measures and their extensions can be used by a verifier to determine that proofs have been made for the required domains.
一旦检验完成,本地检验器就可以预备相关证明已经进行的声明,并且使用来自已认证的密钥对(Ksign_verify_priv,Ksign_verify_pub)中的私钥来对该声明进行签名。包含了与已签名TPES级联的已签名检验声明的消息可以表述为:Once the verification is complete, the local verifier can prepare a statement that the relevant proof has been made, and sign the statement using the private key from the certified key pair (Ksign_verify_priv , Ksign_verify_pub ). A message containing a signed verification statement concatenated with a signed TPES can be expressed as:
TDRO_target→RO:[检验声明]Ksign_verify_priv||[TPES]signedTDRO_target → RO: [Verification statement] Ksign_verify_priv || [TPES]signed
等式3Equation 3
一旦接收到来自一个或多个TTP的{RIMRO}以及来自TDRO_target的已签名TPIA和已签名TPES,则RO可以检验是否TDRO_target处于被RO发现适合用于继续RTO处理的环境(例如THSM中的环境)、以及支持TDRO_target和RO所关注的其他任何域的硬件或软件是否处于完整性与RO相适合的状态。Upon receipt of {RIMRO } from one or more TTPs and the signed TPIA and signed TPES from the TDRO_target , the RO may verify that the TDRO_target is in an environment (e.g. in THSM) that the RO finds suitable for continuing RTO processing environment), and whether the hardware or software supporting TDRO_target and any other domains concerned by the RO are in a state of integrity compatible with the RO.
用于原始域的RO协议可以在通电时开始。作为选择,该RTO协议也可以在通电之后开始。当THSM的安全引导完成时,由此引起的域的构建可以通过配置文件来确定,其中该配置文件的内容反映了初始通电时的平台状态,例如首次通电时的平台状态,或是先前引导设备并且随后将其断电时的先前状态。由此,设备可以处于包含了TDDM构建、“原始”TDDO以及“原始”TEU状态的基本配置中。可替换地,WTRU可以处于以后的配置中,例如处于以先前启动和域构建或是RTO处理为基础的配置中,其中所述RTO处理包括TDDM、“后RTO”TDDO和“后RTO”TEU状态。在另一个可替换实施方式中,WTRU可以处于这样一种配置:其中该配置还包括附加域(例如图2所示的域)的扩展集合。这些域有可能是在先前的通电会话中创建的,并且所有权有可能被相应所有者通过先前运行的RTO处理获取,其中所述先前运行的RTO处理是在先前的会话中进行的。The RO protocol for the original domain can start at power-up. Alternatively, the RTO protocol can also start after power-up. When a THSM's secure boot is complete, the resulting build of domains can be determined through a configuration file whose contents reflect the platform state at initial power-on, such as the platform state at first power-on, or a previously booted device And its previous state when it was subsequently powered off. Thus, the device may be in a basic configuration that includes the TDDM build, the "raw" TDDO , and the "raw" TEU state. Alternatively, the WTRU may be in a later configuration, e.g., in a configuration based on previous startup and domain building or RTO processing including TDDM , "Post-RTO" TDDO , and "Post-RTO"TEU status. In another alternative, the WTRU may be in a configuration that also includes an extended set of additional fields (such as the fields shown in FIG. 2). These domains may have been created in a previous power-on session, and ownership may have been acquired by the respective owner through a previously run RTO process that was performed in a previous session.
参考第一实施方式,作为平台的安全和可信实体,THSM可以控制所有权获取协议,并且确定ME是否处于初始的信任状态。预先提供的密钥Ktemp可以用于保护经由THSM-ME接口发送的消息的置信度。为了简单起见,经过加密的消息可以用{A}表示,消息的签名处理可以用[A]表示,并且符号IDME和IDTHSM分别表示预先提供的ME和THSM的临时ID。Referring to the first embodiment, as a secure and trusted entity of the platform, THSM can control the ownership acquisition protocol and determine whether the ME is in an initial trust state. A pre-provisioned key Ktemp can be used to protect the confidence of messages sent via the THSM-ME interface. For simplicity, the encrypted message can be denoted by {A}, the signing process of the message can be denoted by [A], and the symbols IDME and IDTHSM denote the pre-provided temporary IDs of ME and THSM, respectively.
RTO启动可以包括在结合特定RO的REO处理之后,由TDDO的SDM发起用于将要被RO要求的“未要求”、“原始”域的RTO。用户可以启动ME平台的通电处理。在通电时,ME可以执行关于基本码的“非TCG”“安全引导”,例如OMTP定义的引导,在该引导中,所述基本码将会变为“活动”。作为非TCG安全引导处理的一部分,ME基本码的完整性是可以被自主检查的。RTO initiation may include initiating an RTO by the TDDO 's SDM for "unclaimed", "raw" domains to be required by the RO after REO processing in conjunction with a particular RO. The user can initiate the power-on process of the ME platform. On power-up, the ME can perform a "non-TCG""secureboot", such as that defined by OMTP, on a base code in which the base code will become "active". As part of the non-TCG secure boot process, the integrity of the ME base code can be checked autonomously.
参考第三实施方式,在完成了基本码引导处理之后,这时可以加载移动可信环境(MTE)。通过使用签名密钥,MTE可以证实ME平台配置的完整性。Referring to the third embodiment, after the basic code boot process is completed, the Mobile Trusted Environment (MTE) can be loaded at this time. By using the signing key, the MTE can attest to the integrity of the ME platform configuration.
在加载了基本码之后,ME可以周期性地将信号发送到THSM,从而指示其已经被引导到一个最低安全配置。由于在发送信号的时候,THSM的DO域有可能尚未被引导,因此ME可以发送具有不同随机现时(nonce)(nonce_1)的相同信号,直至其接收到从THSM的DO域返回的应答信号。该信号可以表述为:After loading the base code, the ME may periodically send a signal to the THSM indicating that it has been booted into a minimally secure configuration. Since the DO field of the THSM may not have been directed at the time of sending the signal, the ME may send the same signal with a different random nonce (nonce_1) until it receives a response signal back from the DO field of the THSM. This signal can be expressed as:
Def)Package_1=“ME基本码引导完成”MSG||nonce_1||IDMEDef)Package_1 = "ME basic code guide completed" MSG||nonce_1||IDME
ME→THSM’s TDDO:Package_1||[SHA-X(Package_1)]Ktemp_IME→THSM's TDDO : Package_1||[SHA-X(Package_1)]Ktemp_I
等式4Equation 4
参考第三实施方式,该信令可以表述为:Referring to the third embodiment, the signaling can be expressed as:
Def)Package_1=“ME基本码引导完成Def)Package_1="ME basic code guide completed
&MTE加载”MSG||nonce_1||IDME&MTE load "MSG||nonce_1||IDME
ME→THSM’s TDDO:Package_1||[SHA-X(Package_1)]Ktemp_IME→THSM's TDDO : Package_1||[SHA-X(Package_1)]Ktemp_I
等式5Equation 5
THSM可以“安全”引导,由此THSM有可能已经载入了其DM域、“原始”DO域、用户域以及至少一个将要被RO拥有但却尚未拥有的“原始”域。此外,在加载这些域的过程中可以对照每一个域的参考完整性度量(RIM)来检查每一个域的代码状态的完整性。该检查可以依照某个规范进行,例如TCG MPWG规范。The THSM can be "safely" booted, whereby the THSM has potentially loaded its DM domain, the "original" DO domain, the user domain, and at least one "original" domain that will be owned by the RO but does not yet own it. Additionally, the integrity of the code state of each domain may be checked against each domain's referential integrity metric (RIM) during loading of the domains. This check can be done according to a specification, such as the TCG MPWG specification.
如果设备所有者域(TDDO)先前已经通过了用于DO的RTO处理,那么它同样可以加载到“预先配置的”配置或是“最后保存的(先前RTO之后的)”配置中。在被加载的时候,DO域可以包括系统级域管理器(SDM)。SDM可以监视属于其他远端所有者(RO)的域的构建或者加载或维护。SDM可以查找来自DM域的“域可用资源列表”,并且还可以查找由TDDO保护的系统级域策略(SDP)。If the Device Owner Domain (TDDO ) has previously passed the RTO process for DO, it can likewise be loaded into a "pre-configured" configuration or a "last saved (after previous RTO)" configuration. When loaded, a DO domain may include a system domain manager (SDM). The SDM can monitor the building or loading or maintenance of domains belonging to other Remote Owners (ROs). The SDM can look up the "Domain Available Resource List" from the DM domain, and can also look up the System Level Domain Policy (SDP) protected by the TDDO .
在引导时,SDM还可以用一个“可被构建的域的列表”来提示THSM的使用人或所有人(DO),并且请求用以选择所要构建的域的输入。在得到了来自用户或所有者的输入之后,SDM可以继续构建那些仅仅在来自所有人或使用人的响应中规定的域。SDM可以通过与ME交互来提供用于这些事务处理的用户界面(UI)。At boot time, the SDM can also prompt the user or owner (DO) of the THSM with a "list of domains that can be built" and request input for selecting domains to build. After getting input from the user or owner, the SDM can proceed to construct those domains that are only specified in the response from the owner or user. The SDM can provide a user interface (UI) for these transactions by interacting with the ME.
在安全引导之后,THSM的TDDO可以向ME发送“THSM引导完成”消息。该TDDO也可以在消息内部包含能在外部可公开的所述域的当前状态的概要,例如所加载的RO域的数量和名称。TDDO的SDM可以确定并实施域的当前状态概要的外部公开程度,并且该确定可以基于SDP和/或THSM和/或ME上的域所具有的特定于域的策略(DP)。TDDO可以将包含接收到的nonce_1作为SHA-X完整性检查代码输入的一部分,以此对在该消息中接收到Package_1做出应答,其中所述输入可以表述如下:After secure boot, the THSM's TDDO may send a "THSM Boot Complete" message to the ME. This TDDO may also contain inside the message a summary of the current state of the domains that can be disclosed externally, eg the number and names of loaded RO domains. The SDM of the TDDO may determine and enforce the degree of external disclosure of the domain's current state profile, and this determination may be based on domain-specific policies (DPs) possessed by the domain on the SDP and/or THSM and/or ME. The TDDO may respond to receiving Package_1 in this message by including the received nonce_1 as part of the SHA-X integrity check code input, where the input may be expressed as follows:
Def)Package_2=“THSM引导完成”MSG||nonce_2||IDTHSMDef)Package_2="THSM Boot Complete" MSG||nonce_2||IDTHSM
TDDO→ME:Package_2||[SHA-X(Package_1||nonce_1)]Ktemp_ITDDO →ME: Package_2||[SHA-X(Package_1||nonce_1)]Ktemp_I
等式6Equation 6
对于THSM的ID、例如来IDTHSM说,该ID可以保持在DM域TDDM中,并且其可以相当于TDDM的ID。DO域TDDO可以将其从TDDM取回,以便构造等式6中的Package_2。For the ID of THSM, such as IDTHSM , the ID can be kept in the DM domain TDDM , and it can be equivalent to the ID of TDDM . The DO domain TDDO can retrieve it from the TDDM in order to construct Package_2 in Equation 6.
响应于“THSM引导完成”消息,ME可以继续完成其引导处理。在完成了引导处理之后,ME可以向THSM的TDDO发送消息,该消息可以表述为:In response to the "THSM Boot Complete" message, the ME may proceed to complete its boot process. After completing the bootstrap process, the ME can send a message to the THSM's TDDO , which can be expressed as:
Def)Package_3=“ME引导完成”||nonce_3Def)Package_3="ME boot completed"||nonce_3
ME→TDDO:Package_3||[SHA-X(Package_3||nonce_2)]Ktemp_IME→TDDO : Package_3||[SHA-X(Package_3||nonce_2)]Ktemp_I
等式7Equation 7
下列内容适用于这样的情形:其中DO域的SDM发起并监视用于当前“原始”的RO域的RTO处理。The following applies to the situation where the SDM of the DO domain initiates and monitors the RTO process for the currently "raw" RO domain.
在TDDO接收到来自ME的Package_2之后,这时可以启动RTO处理。TDDO内部的系统级域管理器(SDM)可以通过向“原始”目标RO域(TD*RO_Target)请求启动RTO处理来发起RTO处理。SDM既可以自主发起该处理,也可以在得到所有人或使用人的提示的时候发起该处理。SDM可以向TD*RO发送要求为目标RO启动RTO处理的请求。该请求可以包括目标RO是谁,例如RO的ID或网络接入标识符(NAI),以及当前请求的有效周期。作为请求的一部分或是作为与请求一起传送的独立分组,SDM还可以发送用于“已许可RO域的SDP状况”的列表(在下文中将其称为SCARD)。当其在预定的RTO处理之后完成时,SDM还可以发送用于TDRO的“目标域规划”。该消息传递可以表述为:After the TDDO receives Package_2 from the ME, the RTO process can be started at this time. The system-level domain manager (SDM) inside the TDDO can initiate the RTO process by requesting the start of the RTO process to the "original" target RO domain (TD*RO_Target ). The SDM can either initiate the processing independently, or initiate the processing when prompted by the owner or the user. The SDM may send a request to the TD*RO to initiate RTO processing for the target RO. The request may include who the target RO is, such as the RO's ID or Network Access Identifier (NAI), and the validity period of the current request. As part of the request or as a separate packet transmitted with the request, the SDM can also send a list for "SDP Status of Admitted RO Domains" (hereinafter referred to as SCARD). The SDM can also send the "Target Domain Plan" for the TDRO when it is completed after the scheduled RTO process. This messaging can be expressed as:
Def)Package_4a=Def)Package_4a=
Request_to_start_RTO||SCARD||目标域规划||nonce_4Request_to_start_RTO||SCARD||target domain planning||nonce_4
SDM→TD*RO_Target:Package_4a||[SHA-X(Package_4a)]Ksign_SDMSDM→TD*RO_Target : Package_4a||[SHA-X(Package_4a)]Ksign_SDM
等式8Equation 8
响应于Package_4的接收,TD*RO_Target可以接受或拒绝该请求。该请求可以被解释成是允许RO获取RO域的所有权的意向。TD*RO_Target可以根据预先配置的判据或是其自身具有且已被加载的RO域策略的“原始”版本来做出该决定。TD*RO_Target可以被配置成检查Request_to_start_RTO、SCARD以及Target_Domain_Plan,并且在不存在实际目标远端所有者的情况下做出这一决定和为实际目标远端所有者而做出这类决定。该决定可以表述为:In response to receipt of Package_4, TD*RO_Target may accept or reject the request. This request can be interpreted as an intention to allow the RO to take ownership of the RO domain. The TD*RO_Target can make this decision based on pre-configured criteria or a "raw" version of the RO domain policy it has loaded. TD*RO_Target can be configured to check Request_to_start_RTO, SCARD, and Target_Domain_Plan, and make this determination if and for an actual target remote owner. The decision can be expressed as:
Def)Package_5a=Okay(or Not_Okay)_to_start_RTO||nonce_5aDef)Package_5a=Okay(or Not_Okay)_to_start_RTO||nonce_5a
TD*RO_Target→SDM:TD*RO_Target →SDM:
Package_5a||[SHA-X(Package_5a)||nonce_4]Ksign_TD*RO_TargetPackage_5a||[SHA-X(Package_5a)||nonce_4]Ksign_TD*RO_Target
等式9Equation 9
“原始”目标RO域(TD*RO_Target)可以发起该处理。TD*RO_Target可以向SDM提醒其用于RTO处理的“最终域规划”。该SDM可以许可或拒绝所述请求。如果SDM许可该请求,则TD*RO可以启动RTO处理,这可以表述为:The "original" target RO domain (TD*RO_Target ) may initiate the process. TD*RO_Target can remind the SDM of its "final domain plan" for RTO processing. The SDM can grant or deny the request. If the SDM grants the request, the TD*RO can initiate RTO processing, which can be expressed as:
Def)Package_5b=Intend_to_start_RTO||Final Domain Plan||nonce_5bDef)Package_5b=Intend_to_start_RTO||Final Domain Plan||nonce_5b
TD*RO_Target→SDM:Package_5b||[SHA-X(Package_5b)]Ksign_TD*RO_TargetTD*RO_Target →SDM: Package_5b||[SHA-X(Package_5b)]Ksign_TD*RO_Target
等式10Equation 10
响应于Package_5a或Package_5b的接收,SDM可以为用于TD*RO_Target的RTO处理查找系统域策略(SDP)、“期望域”列表、“域可用资源”列表、或是THSM中的域的当前状态,其中所述系统域策略既可以是预先配置的、也可以通过用于TDDO的RTO处理得到,所述“期望域”列表既可以是预先配置的、也可以由所有者提供,而所述“域可用资源”列表则可以由DM域保持并持续更新。In response to receipt of Package_5a or Package_5b, the SDM may look up the System Domain Policy (SDP), the "Expected Domain" list, the "Domain Available Resources" list, or the current state of the domain in THSM for the RTO process for TD*RO_Target , Wherein the system domain policy can be pre-configured or obtained through RTO processing for TDDO , the "expected domain" list can be pre-configured or provided by the owner, and the "desired domain" list can also be provided by the owner, and the " The "domain available resources" list can be kept and continuously updated by the DM domain.
SDM还可以评估是否有足以用于构建和保持THSM上的多个域的资源(例如用于虚拟机线程的存储器或计算资源)、THSM中的域的当前状态是否匹配“期望域”列表中规定的状态、“期望域”中的新域的构建或加载是否可以得到THSM中的域的当前状态的支持以及SDP的许可、或者是否有一个或多个域需要通过RTO处理。The SDM can also evaluate whether there are sufficient resources (such as memory or computing resources for virtual machine threads) to build and maintain multiple domains on the THSM, whether the current state of the domains in the THSM matches those specified in the "desired domains" list , whether the construction or loading of new domains in the "desired domain" can be supported by the current state of the domains in THSM and the permission of the SDP, or whether there are one or more domains that need to be processed through the RTO.
如果SDM根据可用资源、THSM现有域的当前状态以及SDP确定TD*RO_Target可以通过RTO处理,那么SDM可以指示该决定(TD*RO_Target)并且继续预备多个将要在RTO处理中被转发给RO的完整性证明,以使其能对TD*RO_Target及其周围的域进行评估。该证明可以表述为:If the SDM determines that the TD*RO_Target can pass RTO processing based on the available resources, the current state of THSM's existing domain, and the SDP, the SDM can indicate this decision (TD*RO_Target ) and proceed to prepare multiple Proof of integrity to enable evaluation of the TD*RO_Target and surrounding domains. The proof can be expressed as:
Def)Package_6=Okay_to_go_ahead_with_RTO||nonce_6Def)Package_6=Okay_to_go_ahead_with_RTO||nonce_6
SDM→TD*RO_Target:SDM→TD*RO_Target :
Package_6||[SHA-X(Package_6)||nonce_5(a or b)]Ksign_SDMPackage_6||[SHA-X(Package_6)||nonce_5(a or b)]Ksign_SDM
等式11Equation 11
SDM可以向使用人指示其将要为特定域发起RTO处理,其中举例来说,所述指示可以通过WTRU上显示的消息进行。SDM还可以使用“启动RTO处理的期望域和期望RO”的列表来向使用人或所有人(DO)发出提示,并且继续仅为那些由所有者或用户响应于所述提示指定的RO域发起RTO处理。SDM还可以与提供了用于这些事务处理的用户界面(UI)的ME进行交互。The SDM may indicate to the user that it is going to initiate RTO processing for a particular domain, for example, via a message displayed on the WTRU. SDM can also issue a prompt to the user or owner (DO) using the list of "desired domains and desired ROs to initiate RTO processing" and continue to initiate only those RO domains specified by the owner or user in response to said prompt RTO processing. The SDM can also interact with the ME which provides a user interface (UI) for these transactions.
TD*RO_Target可以请求SDM预备其可以用于构造THSM平台完整性证明(TPIA)和THSM平台环境概要(TPES)的材料。该请求可以表述为:TD*RO_Target may request the SDM to prepare material that it may use to construct THSM Platform Integrity Attestation (TPIA) and THSM Platform Environment Summary (TPES). The request can be expressed as:
Def)Package_7=Request_for_TPIA||Request_for_TPES||nonce_7Def)Package_7=Request_for_TPIA||Request_for_TPES||nonce_7
TD*RO_Target→SDM:TD*RO_Target →SDM:
Package_7||[SHA-X(Package_7)||nonce_6]Ksign_TD*RO_TargetPackage_7||[SHA-X(Package_7)||nonce_6]Ksign_TD*RO_Target
等式12Equation 12
参考第三实施方式,该请求可以表述为:Referring to the third embodiment, the request can be expressed as:
Def)Package_7a=Request_for_TPIA||Request_for_TPES||Request forMPID||Request for MPES||nonce_7aDef)Package_7a=Request_for_TPIA||Request_for_TPES||Request for MPID||Request for MPES||nonce_7a
TD*RO_Target→SDM:TD*RO_Target→SDM:
Package_7a||[SHA-X(Package_7a||nonce_6)]Ksign_TD*RO_TargetPackage_7a||[SHA-X(Package_7a||nonce_6)]Ksign_TD*RO_Target
等式13Equation 13
在关于TPIA和TPES的请求中,RO可以规定它从SDM那里寻求的是与TPIA和TPES相关的何种信息。例如,对TPIA来说,除了自身之外,它还可以规定其希望检验完整性所针对的域的名称或范围。同样,对于TPES来说,RO可以规定除了其自身之外的域所有者的公共ID,例如网络分配标识符(NAI)。In the request for TPIA and TPES, the RO can specify what information it seeks from the SDM related to TPIA and TPES. For example, it is possible for a TPIA to specify, in addition to itself, the names or scopes of domains against which it wishes to check integrity. Also, for TPES, the RO may specify a domain owner's public ID other than itself, such as a Network Assigned Identifier (NAI).
参考第三实施方式,目标RO还可以请求与ME平台的完整性(在下文中将其称为MPID)相关的特定信息、以及与ME环境相关的其他信息。可替换地,RO可以请求表明加载了MTE并且ME向SDM发送了MPID和MPES的简单指示符。作为驻留在ME平台上的可信实体,在被SDM请求预备值MPID和MPES的时候,MTE可以执行预备所述值。该请求可以表述为:Referring to the third embodiment, the target RO may also request specific information related to the integrity of the ME platform (hereinafter referred to as MPID), and other information related to the ME environment. Alternatively, the RO may request a simple indicator that the MTE is loaded and the ME sent the MPID and MPES to the SDM. As a trusted entity residing on the ME platform, when requested by the SDM to provision the values MPID and MPES, the MTE can perform provisioning of the values. The request can be expressed as:
Def)Package_7b=请求MPID||请求MPES||nonce_7bDef)Package_7b=Request MPID||Request MPES||nonce_7b
SDM→MTE:SDM → MTE:
Package_7b||[SHA-X(Package_7b)]Ksign_SDMPackage_7b||[SHA-X(Package_7b)]Ksign_SDM
等式14Equation 14
MTE可以收集来自ME的配置数据并构建MPID。此外还可以获取环境数据,以便产生ME平台环境调查(MPES)。这些值可以基于当前的ME状态,其中所述状态有可能随时间而改变。如果在ME状态改变之后发出了以后的请求,那么经过更新的值可以被发送到SDM。通常,ME可以向SDM发送响应,并且该响应可以表述为:MTE can collect configuration data from ME and build MPID. In addition, environmental data can be captured in order to generate an ME Platform Environmental Survey (MPES). These values may be based on the current ME state, which may change over time. The updated value may be sent to the SDM if a subsequent request is made after the ME state change. In general, the ME can send a response to the SDM, and this response can be expressed as:
Def)Package_8a=MPID||MPES||CertMTEdef) Package_8a = MPID||MPES||CertMTE
MTE→SDM:MTE → SDM:
Package_8a||[SHA-X(Package_8a||nonce_7b)]Ksign_MTEPackage_8a||[SHA-X(Package_8a||nonce_7b)]Ksign_MTE
等式14Equation 14
MTE可以提供经过CA签名并包含其公钥KMTE_Pub的证书。由此,SDM可以通过检验CA的签名来检验这个公钥的真实性,并且由此可以使用KMTE_Pub检查来自MTE的消息的完整性。SDM可以预备TPIA和TPES,并且稍后将其转发到TD*RO_Target。The MTE can provide a certificate signed by the CA and containing its public key KMTE_Pub . Thus, the SDM can verify the authenticity of this public key by checking the CA's signature, and thus can use KMTE_Pub to check the integrity of messages from the MTE. SDM can prepare TPIA and TPES and forward them to TD*RO_Target later.
为了预备TPIA,SDM可以收集完整性证明,例如通过“原始”TDRO收集该“原始”TDRO的完整性证明、通过TEDM收集该TEDM的完整性证明、TEDO的完整性证明、通过TEU收集该TEU的完整性证明(如果设备用户不同于DO)、以及通过RO关注的其他任何现有TDRO收集该现有TDRO的完整性证明。In order to prepare for TPIA, SDM can collect integrity proofs, such as collecting the integrity proofs ofthe "original" TDRO through the "original" TDRO , the integrity proof of the TEDM through the TE DM, the integrity proof of the TEDO , through The TEU collects the integrity certificate of the TEU (if the device user is different from the DO), and collects the integrity certificate of the existing TDRO through any other existing TDRO concerned by the RO.
可替换地,在收集了来自PCR的完整值之后,通过本地自主检查处理以及关于诸如编码和数据之类的测量日志的重新计算处理,SDM可以对照来自PCR且用于相应域的摘要值来检验所述域。该处理可以在TTP(PCA)不知道应该包含相应域的最新代码的时候执行,并且TTP可以对链接到AIK的签名密钥进行认证,其中所述AIK是为WTRU上的TPM或MTM认证的。对于供RO比较来自SDM的TPIA的摘要度量来说,TTP可以不被配置成为其提供参考值。通过重新计算域的代码摘要,并且将其与所引证的PCR值进行比较,SDM可以在本地检查其获取的用于所述域的PCR引证是否是最新的。如果通过了这个本地检查,则SDM可以为TPIA签名,并且将其经由MTE或ME传递到TDRO_target以及ROtarget。Alternatively, after collecting the full value from the PCR, the SDM can check against the summary value from the PCR for the corresponding domain through a local autonomous check process and a recomputation process on measurement logs such as encoding and data the domain. This process may be performed when the TTP (PCA) is not known to contain the latest code for the corresponding domain, and the TTP may authenticate the signing key linked to the AIK authenticated for the TPM or MTM on the WTRU. TTP may not be configured to provide a reference value for the summary metric for the RO to compare the TPIA from the SDM. The SDM can locally check whether the PCR references it obtains for the domain are up to date by recomputing the code digest for the domain and comparing it to the referenced PCR value. If this local check is passed, the SDM can sign the TPIA and pass it to the TDRO_target and ROtarget via the MTE or ME.
在另一个可替换方案、即三向检验中,作为TPIA的一部分,SDM可以提供域的摘要和测量日志,例如实际代码。在获取了代码以及摘要时,RO可以从TTP那里获取摘要的参考度量,并且可以从测量日志中重新计算出摘要,以及可以将其与它从TDRO_Target接收的引证PCR摘要以及它从TTP接收的参考摘要度量进行比较。In another alternative, three-way verification, as part of the TPIA, the SDM can provide domain summaries and measurement logs, such as actual code. Having obtained the code as well as the digest, the RO can obtain the digest's reference metrics from the TTP, and can recompute the digest from the measurement log, and can compare it with the citing PCR digest it received from the TDRO_Target and the digest it received from the TTP Refer to summary metrics for comparison.
对于具有或不具有测量日志的TPIA来说,在执行PCR引证时,它还可以包括关于“本地时间”的指示,其中该指示有效印记(time-stamping)了用于单个域的摘要的引证时间。这样做给出了SDM最后一次获取每一个域的PCR摘要的时间。如果没有将测量日志发送至RO,那么在决定用以获取和在TPIA中包含本地摘要的时间是否足够新,以便允许在证明检验中使用该摘要方面,当需要验证在TPIA中指示的证明时,带有时间戳的PCR引证可以向RO提供某些附加信息。用于这种时间戳的时钟可以是一个可信赖的时钟。For a TPIA with or without a measurement log, it may also include an indication of "local time" when performing PCR citations, where this indication effectively time-stamps the citation time for the digest for a single domain . Doing so gives the last time SDM fetched the PCR digest for each domain. If the measurement log is not sent to the RO, then in determining whether the time used to obtain and include the local digest in the TPIA is recent enough to allow the digest to be used in the proof check when required to verify the proof indicated in the TPIA, Timestamped PCR references can provide certain additional information to the RO. The clock used for such timestamps can be a reliable clock.
如果三向检验失败,则RO可以请求由TTP来为其提供经过更新的参考度量或测量日志,从中它可以计算出期望摘要。RO可以重新尝试三向检验。如果检验成功,则RTO继续进行。如果检验失败并且RO策略需要成功的三向检验,则可以终止RTO。If the three-way check fails, the RO can request that the TTP provide it with updated reference metrics or measurement logs from which it can calculate the desired digest. The RO can retry the three-way test. If the verification is successful, the RTO continues. If the verification fails and the RO policy requires a successful three-way verification, the RTO can be terminated.
对于DO域的完整性证明,SDM可以自动地获取,例如通过该SDM本身的功能来获取。对于完整性证明来说,除了DO域的完整性证明之外,SDM还可以请求相应的其他域产生其自身相应的完整性证明并为其签名。在请求中,SDM可以包括诸如令牌之类的授权数据,并且接收方可以使用该授权数据来检查SDM是否有权从所述域那里请求和获取完整性证明。该请求还可以包括接收域的平台配置寄存器(PCR)的范围,其中目标RO以及作为目标RO请求的转发者的SDM需要对其接收方域的完整性进行检查。该请求可以表述为:For the integrity proof of the DO domain, the SDM can be obtained automatically, for example, through the function of the SDM itself. For the integrity certificate, in addition to the integrity certificate of the DO domain, the SDM can also request corresponding other domains to generate their own corresponding integrity certificates and sign for them. In the request, the SDM can include authorization data such as a token, and the recipient can use this authorization data to check whether the SDM is authorized to request and obtain integrity proofs from the domain. The request may also include the range of the platform configuration register (PCR) of the receiving domain, where the target RO and the SDM as the forwarder of the target RO request need to check the integrity of its receiving domain. The request can be expressed as:
Def)Package_8b(i)=Request_for_Attestation||nonce_8b(i),i=1,2,...,NDef) Package_8b(i)=Request_for_Attestation||nonce_8b(i), i=1, 2, ..., N
SDM→TDDomain(i):SDM→TDDomain(i) :
Package_8b(i)||[SHA-X(Package_8b(i))]Ksign_SDMPackage_8b(i)||[SHA-X(Package_8b(i))]Ksign_SDM
等式15Equation 15
在这里可以将域表示为domain(i),i=1,2,...,N,N是域(SDM从该域收集了PCR值)的数量,其中每一个域首先检查Request_for_Attestation中的授权数据,然后则取回Request_for_Attestation中规定的PCR范围的PCR值。The domain can be expressed here as domain(i), i=1, 2, ..., N, N is the number of domains (SDM has collected the PCR value from this domain), wherein each domain first checks the authorization in Request_for_Attestation Data, and then retrieve the PCR value of the PCR range specified in Request_for_Attestation.
该操作可以表述为:This operation can be expressed as:
Def)Package_8c(i)=Def)Package_8c(i)=
规定的PCR范围的值||nonce_8c(i),i=1,2,...,NThe value of the specified PCR range ||nonce_8c(i), i=1, 2, ..., N
TDDomain(i)→SDM:TDDomain(i) → SDM:
Package_8c(i)||[SHA-X(Package_8c(i)||nonce_8b(i)]Ksign_TD_Domain(i)Package_8c(i)||[SHA-X(Package_8c(i)||nonce_8b(i)]Ksign_TD_Domain(i)
等式16Equation 16
SDM可以执行THSM平台完整性证明(TPIA),以便级联所有证明并使用其签名密钥来为这些证明签名。该处理可以表述为:The SDM can perform a THSM Platform Integrity Attestation (TPIA) to concatenate all attestations and sign them with its signing key. This processing can be expressed as:
Def)TPIA=Concatenation{来自Domain(i)的签名的PCR值},i=1,2,.,,NDef)TPIA=Concatenation{PCR value from signature of Domain(i)}, i=1, 2, . , , N
等式17Equation 17
对于TPES预备处理来说,SDM可以通过级联那些它从TDDM、TDDO和TDDomains(i)收集的信息来产生TPES,其中举例来说,所述信息可以是能从DM域得到的THSM HW和SW配置和版本号、BIOS配置、平台上的域的数量、诸如存储器之类的用于当前域的总平台资源、为了进一步构建或扩展现有域或新域而保留的平台资源、域的名称或是其所有者的姓名或ID(如果相应域所有者允许)(例如NAI)、SDM收集上述环境信息时的日期/时间,如果单调计数器可用但日期/时间不可用,那么该信息也可以是单调计数器值,或者该信息还可以是其他任何永久性信息。该请求可以表述为:For the TPES preparation process, the SDM can generate TPES by concatenating those information it collects from TDDM , TDDO and TDDomains(i) , where the information can be, for example, THSM available from DM domains HW and SW configuration and version numbers, BIOS configuration, number of domains on the platform, total platform resources such as memory for the current domain, platform resources reserved for further building or expansion of existing domains or new domains, domains or the name or ID of its owner (if allowed by the respective domain owner) (e.g. NAI), the date/time when the above environment information was collected by the SDM, and if the monotonic counter is available but the date/time is not, then this information is also Can be a monotonic counter value, or the information can be any other permanent information. The request can be expressed as:
Def)TPES={收集的信息}Def)TPES={collected information}
等式18Equation 18
SDM可以为TPIA和TPES签名,并且将其转发到TD*RO_Target。SDM还可以包括已签名的SCARD,由此,如果DO无法检查SCARD,那么它可能不需要依靠任何原始的TD*RO_Target。SCARD可以与TPIA和TPES一起被发送到RO,由此RO可以决定在检查了SCARD、TPIA和TPES之后继续执行获取所有权的处理。该消息传递可以表述为:SDM can sign TPIA and TPES and forward them to TD*RO_Target. The SDM can also include signed SCARDs, whereby the DO may not need to rely on any original TD*RO_Target if it cannot check the SCARD. The SCARD may be sent to the RO along with the TPIA and TPES, whereby the RO may decide to proceed with the process of taking ownership after checking the SCARD, TPIA and TPES. This messaging can be expressed as:
SDM→TDRO_Target:SDM→TDRO_Target :
SCARD||nonce_8fb||[SHA-X(SCARD)||nonce_8fb)]Ksign_SDMSCARD||nonce_8fb||[SHA-X(SCARD)||nonce_8fb)]Ksign_SDM
TPIA||Concatenation{nonce_8c(i)}[SHA-X(TPIA)||Concatenation{nonce_8c(i)}]Ksign_SDM,TPIA||Concatenation{nonce_8c(i)}[SHA-X(TPIA)||Concatenation{nonce_8c(i)}]Ksign_SDM ,
TPES||nonce_8f||[SHA-X(TPES||nonce_8f)]Ksign_SDMTPES||nonce_8f||[SHA-X(TPES||nonce_8f)]Ksign_SDM
或or
SCARD||TPIA||TPES||[SHA-X(SCARD||TPIA||TPES||nonce_8f)]Ksign_SDMSCARD||TPIA||TPES||[SHA-X(SCARD||TPIA||TPES||nonce_8f)]Ksign_SDM
等式19Equation 19
一旦从SDM接收到TPIA、TPES以及SCARD,则可以使用SDM的公共签名密钥来对它们进行检查,以便检查它们的完整性。然后,TPIA、TPES、SCARD、用以指示用户所期望的服务的目的信息元素(P)以及用于所有权获取消息的请求(request_TO)可以被发送至ME。如果RTO处理针对的是必须供应完整的TSIM能力的域,那么还可以预备关于TSIM功能的已签名证书(CertTSIM),并且将其与上述分组一起发送。Once the TPIA, TPES and SCARD are received from the SDM, they can be checked using the SDM's public signing key in order to check their integrity. Then, TPIA, TPES, SCARD, a purpose information element (P) to indicate the service desired by the user, and a request (request_TO) for an ownership acquisition message may be sent to the ME. If the RTO process is for a domain where full TSIM capabilities have to be provisioned, a signed certificate (CertTSIM ) for the TSIM functionality can also be prepared and sent with the above packet.
用于TSIM功能的证书有可能是两个或更多。其中一个证书是用于原始TSIM功能的(CERT*TSIM),另一个则是用于那些完全被示例或更新的功能。用于原始TSIM功能的证书可以采用模块化的方式嵌入用于DM的证书结构中,例如,可以将其插入到作为来自DM的功能的原始域中。There may be two or more certificates for TSIM functions. One of the certificates is for the original TSIM features (CERT*TSIM ), and the other is for those features that are fully sampled or updated. The certificates for the original TSIM functions can be embedded in the certificate structure for the DM in a modular fashion, eg they can be inserted in the original domain as functions from the DM.
当RO在TDRO预先通过了至少一个RTO之后执行RTO处理时,它有可能不再需要发送CERT*TSIM,这是因为该证书仅仅适合与原始域一起使用,而所述TDRO却不再是原始域。因此,在这种情况下,RO可以发送经过更新的证书CERTTSIM。When an RO performs RTO processing after a TDRO has pre-passed at least one RTO, it is possible that it no longer needs to send a CERT*TSIM because the certificate is only suitable for use with the original domain, and said TDRO is no longer original domain. So in this case the RO can send the updated certificate CERTTSIM .
如果目标RO在TD*RO_Target使用之前已经知道何时加载原始TD*RO_Target,则可以用目标RO的公钥加密(K_Target_RO_pub)来对内容进行加密,其中举例来说,所述公钥可以通过证书传送或是通过预先配置来提供。可以为TSIM预先提供签名密钥K_TSIM-Sign。这个私有签名密钥的公钥可以预先被分发给目标RO。IDME是ME的ID,其中该ID是由TD*RO_Target从THSM DM的域TDDM获取的,所述域则安全地保持了ME ID。这可以表述为:If the target RO already knows when the original TD*RO_Target was loaded before the TD*RO_Target is used, the content can be encrypted with the target RO's public key encryption (K_Target_RO_pub), which can for example be delivered via a certificate Or provided by pre-configuration. The signing key K_TSIM-Sign may be pre-provided for the TSIM. The public key of this private signing key may be pre-distributed to the target RO. IDME is the ID of the ME obtained by the TD*RO_Target from the domain TDDM of the THSM DM, which securely holds the ME ID. This can be expressed as:
Def)Package_9=Def)Package_9=
SCARD||TPIA||TPES||P||Request_TO||CertTSIM||IDME||nonce_9SCARD||TPIA||TPES||P||Request_TO||CertTSIM ||IDME ||nonce_9
TD*RO_Target→ME:TD*RO_Target → ME:
{Package_9}K_Target_RO_Pub||[SHA-X(Package_9)]K_TSIM-SIGN{Package_9}K_Target_RO_Pub ||[SHA-X(Package_9)]K_TSIM-SIGN
等式20Equation 20
参考第三实施方式,在消息中可以添加值MPIA和MPES。MPIA可以包括在THSM中根据MTE编译的配置数据(MPID)计算的摘要。只有在与所获取的已认证度量相符合的情况下,这个摘要才可以得到证实,其中所述度量是预先存在于配置文件中或是借助于与DM的实时通信传递的。依照关于完整性和环境信息的RO请求,等式20可以包括表明SDM成功接收到MPID和MPES的简单指示。这一点可以表述为:Referring to the third embodiment, the values MPIA and MPES may be added in the message. The MPIA may include a digest computed in THSM from the MTE-compiled configuration data (MPID). This digest can only be validated if it matches the captured authenticated metrics, either pre-existing in the configuration file or delivered by means of real-time communication with the DM. Equation 20 may include a simple indication that the SDM successfully received the MPID and MPES in accordance with the RO request for integrity and context information. This can be expressed as:
Def)Package_9=SCARD||TPIA||TPES||MPIA||MPES||P||Request_TO||CertTSIM||IDME||nonce_9Def)Package_9=SCARD||TPIA||TPES||MPIA||MPES||P||Request_TO||CertTSIM ||IDME ||nonce_9
TD*RO_Target→ME:TD*RO_Target → ME:
{Package_9}K_Target_RO_Pub||[SHA-X(Package_9)]K_TSIM-SIGN.{Package_9}K_Target_RO_Pub ||[SHA-X(Package_9)]K_TSIM-SIGN .
等式21Equation 21
ME可以将上述整个消息传送到RO,并且这一点可以表述为:The ME can transfer the entire message above to the RO, and this can be expressed as:
ME→Target RO:ME→Target RO:
{Package_9}K_Target_RO_Pub||[SHA-X(Package_9)]K_TSIM-SIGN.{Package_9}K_Target_RO_Pub ||[SHA-X(Package_9)]K_TSIM-SIGN .
等式22Equation 22
参考第三实施方式,该消息将会包括MPIA和MPES。Referring to the third embodiment, the message will include MPIA and MPES.
RO可以使用其私钥KTarget_RO_Priv来对Package_10进行解密,检查ME的ID,以及解译这些消息。RO可以解译SCARD,并且查看它是否“符合”来自SDP的这些状况。如果RO符合SCARD,那么举例来说,来自原始TD*RO_Target的值TPIA可以被解译成代表了在向目标TO域TD*RO_Target提供任何服务证书或配置控制之前的整个初始TSIM状态。值P可以被解译成是指示了用户期望的服务。目标RO(在启用TSIM的TD*RO_Target的情况中,该目标RO可以是MNO)可以通过将TPIA中指示的其关注的域的完整性与它从TTP独立获取的参考完整性度量(RIM)值(RIMRO)进行比较来检验该完整性。RO can use its private key KTarget_RO_Priv to decrypt Package_10, check ME's ID, and interpret these messages. The RO can interpret the SCARD and see if it "conforms" to these conditions from the SDP. If the RO conforms to SCARD, then, for example, the value TPIA from the original TD*RO_Target can be interpreted as representing the entire initial TSIM state before providing any service credentials or configuration controls to the target TO domain TD*RO_Target . The value P can be interpreted as indicating the service desired by the user. A target RO (which may be an MNO in the case of a TSIM-enabled TD*RO_Target ) can identify the integrity of its domain of interest indicated in the TPIA with the Reference Integrity Metric (RIM) value it obtains independently from the TTP (RIMRO ) A comparison is made to check this integrity.
MNO可以具有通过WTRU/THSM的供应商提供的证书来知道TPIA的预期值的能力,其中举例来说,该证书是提供给TTP的。参考第三实施方式,MPIA和MPES的预期值可通过认证处理而被提前得知,其中所述认证处理可以通过MTE是可信实体这个事实而成为可能,并且所述MTE的可信度是由THSM证实的。The MNO may have the ability to know the expected value of the TPIA through a certificate provided by the WTRU/THSM's provider, for example, provided to the TTP. Referring to the third embodiment, the expected values of MPIA and MPES can be known in advance through the authentication process, which can be made possible by the fact that the MTE is a trusted entity, and the credibility of the MTE is determined by Confirmed by THSM.
目标RO可以查找接收到的TPES,并且评估TD*RO_Target是否处于这样的THSM系统中:其中在RO的情况中,该THSM系统的“周围系统环境”(例如TEPS所表示的系统)可与目标RO一致,由此允许其自身进一步执行RTO处理。The target RO can look up the received TPES and evaluate whether the TD*RO_Target is in a THSM system where in the case of an RO the THSM system's "surrounding system environment" (e.g. the system represented by TEPS) is comparable to the target RO consistent, thereby allowing itself to further perform RTO processing.
在检查了TPIA、TPES、目的P、Request_TO之后,参考第三实施方式,MPIA、MPES以及诸如MNO之类的目标RO可以确定:正在请求由目标RO“获取所有权”的原始TD*RO_Target以及一般包含了TD*RO_Target的THSM是足以“信赖的”,由此允许其进一步执行RTO处理,以及让其允许TD*RO_Target与之交互,从而提供某些预先指定的基本服务。After checking TPIA, TPES, Purpose P, Request_TO, referring to the third embodiment, MPIA, MPES, and target RO such as MNO can determine: the original TD*RO_Target that is requesting to be "taken ownership" by the target RO and generally contains A THSM with a TD*RO_Target is "trusted" enough to allow it to perform further RTO processing, and to allow the TD*RO_Target to interact with it to provide certain pre-specified basic services.
为了执行TD*RO_Target的所有权获取处理,以使得域可以在以后下载密钥、更完整的配置、参数和可执行代码,并将其安装的与基本“原始”状态相比功能更强,并且还被目标远端所有者(RO)要求或是拥有和管理,目标RO可以发送配置信号(CONFIG),其中该配置信号可以包括可执行代码。RO还会发送用于TSIM的RIM,其中该RIM被称为RIMTSIM,如果依照接收到的CONFIG安装了配置、参数和可执行代码,那么该RIM可以与安装后的状态匹配。RIMTSIM可以保存在TD*RO_Target上的安全存储器中,并且可以用于在以后的引导时间检查TSIM功能的完整性。此外,在事务处理中还可以包括域策略(DP),其中所述域策略规定的是将要使用的安全措施以及其他配置问题。To perform the TD*RO_Target 's ownership acquisition process so that the domain can later download keys, more complete configuration, parameters and executable code, and install it more functionally than the basic "pristine" state, and also Required or owned and managed by the target remote owner (RO), the target RO may send a configuration signal (CONFIG), which may include executable code. The RO will also send the RIM for the TSIM, called the RIMTSIM , which can match the post-installation state if the configuration, parameters and executable code are installed according to the received CONFIG. The RIMTSIM can be saved in secure memory on the TD*RO_Target and can be used to check the integrity of the TSIM functionality at a later boot time. In addition, a domain policy (DP) may also be included in the transaction, where the domain policy specifies the security measures to be used and other configuration issues.
特定于RO的域策略(DP)可以不同于由SDM保持并且代表了用于构建和保持THSM上的特定RO所拥有的一个或多个域的系统级域策略(SDP)。特定于RO的DP可以包括仅仅管理域内应用和特定域特定且独有的安全措施的策略或规划。RO-specific Domain Policies (DPs) may differ from system-level Domain Policies (SDPs) maintained by the SDM and representing one or more domains owned by a particular RO on the THSM for building and maintaining them. RO-specific DPs may include policies or plans that only manage intra-domain applications and specific domain-specific and unique security measures.
某些RO可以采用这样一种方式来产生其DP:其中该方式使得DP还可以包括限制了关于哪些其他RO适合在TGSM上构建或管理的条款。例如,移动网络运营商(MNO_A)可以采用这样一种方式来产生其DPMNO_A:其中在下载和安装了DPMNO_A之后,如果没有发现DPMNO_A中规定的某些关于TGSM上的某些其他域的状态和特性的条件的需求得到满足,那么该MNO_A的目标域(TDMNO_A)将会受到一组限制的管理,例如其服务或激活。例如,MNO可以实施DPMNO_A,这样一来,如果TDMNO_A在调查了THSM内部的更大环境之后发现在同一THSM上安装并激活了其他MNO域,并且这些MNO域具有自身的已激活TSIM功能,那么TDMNO_A将会禁用其TSIM功能。Some ROs may generate their DP in such a way that the DP may also include clauses restricting which other ROs are suitable to be built or managed on TGSM. For example, a mobile network operator (MNO_A) can generate its DPMNO_A in such a way that after downloading and installing the DPMNO_A , if some information about some other domain on the TGSM specified in the DPMNO_A is not found If the conditional requirements of status and properties are fulfilled, then the target domain (TDMNO_A ) of this MNO_A will be governed by a set of restrictions, such as its service or activation. For example, the MNO can implement DPMNO_A such that if TDMNO_A , after investigating the larger environment inside the THSM, finds that other MNO domains are installed and activated on the same THSM, and that these MNO domains have their own activated TSIM capabilities, Then TDMNO_A will disable its TSIM function.
TD*RO_Target有可能需要采样一种与P中被请求的服务相对应的方式来配置该TD*RO_Target自身。例如,RO可以向ME发送响应,其中该消息的置信度是用公钥KTSIM-Pub来保护的。ME可以将这个消息传送到THSM上TD*Target_RO。CertRO可以包括目标RO的公共密钥K_RO-priv。这时,RO可以发送用于TSIM的参考完整性度量(RIM)。RO响应可以表述为:TD*RO_Target may need to sample a way corresponding to the requested service in P to configure the TD*RO_Target itself. For example, the RO may send a response to the ME, where the confidence of the message is protected with the public key KTSIM-Pub . ME may transmit this message to TD*Target_RO on THSM. CertRO may include the target RO's public key K_RO-priv . At this time, the RO may send a Reference Integrity Metric (RIM) for the TSIM. The RO response can be expressed as:
Def)Package_10=Def)Package_10=
{CONFIG,DPRO,IDRO,RIMTSIM}KTSIM-Pub||CertRO||CertTSIM||nonce_10{CONFIG, DPRO , IDRO , RIMTSIM }KTSIM-Pub ||CertRO ||CertTSIM ||nonce_10
Target RO→ME:Target RO → ME:
{Package_10}K_RO-Priv||[SHA-X(Package_13||nonce_9)]K_TSIM-SIGN{Package_10}K_RO-Priv ||[SHA-X(Package_13||nonce_9)]K_TSIM-SIGN
等式23Equation 23
ME→TD*Target RO:ME→TD*Target RO :
{Package_10}K_RO-Priv||[SHA-X(Package_13||nonce_9]K_TSIM-SIGN{Package_10}K_RO-Priv ||[SHA-X(Package_13||nonce_9]K_TSIM-SIGN
等式24Equation 24
TD*RO_Target可以使用私钥KTSIM-Priv来对消息进行解密,并且在用CA检查了证书之后使用CertRO中的公钥KRO-Pub来检验RO签名。它可以安全地保存所接收到的用于TSIM应用的参考完整性度量RIMTSIM。它可以检查来自的RO ID,然后检查RO的策略,并且确定它是否可以继续CONFIG的剩余配置和安装处理。TD*RO_Target可以借助于CONFIG来执行重新配置,以便达到“完整”域状态,并且然后则通过执行自我检查来确定测量得到的该TD*RO_Target的TSIM功能的度量是否与被网络传递并在RIMTSIM中表示的度量匹配。现在,域是“完成的”,并且不再是“原始的”,由此符号中的星号*将会移除。该处理可以表述为:The TD*RO_Target can decrypt the message using the private key KTSIM-Priv and verify the RO signature using the public key KRO-Pub in the CertRO after checking the certificate with the CA. It can securely store the received reference integrity metric RIMTSIM for TSIM application. It can check the RO ID from, then check the RO's policy, and determine if it can proceed with the remaining configuration and installation processing of CONFIG. The TD*RO_Target can perform a reconfiguration with the help of CONFIG in order to reach a "full" domain state, and then by performing a self-check to determine whether the measured TSIM capabilities of the TD*RO_Target are consistent with those delivered by the network and in the RIMTSIM The metric matches represented in . Now, the field is "completed" and is no longer "original", thus the asterisk * in the notation will be removed. This processing can be expressed as:
TD*目标RO:检查DPRO,存储RIMTSIM,和安装CONFIG.TD*target RO : check DPRO , store RIMTSIM , and install CONFIG.
→→
TD目标RO:RO域是“完成的”TDtarget RO : RO domain is "done"
等式25Equation 25
已完成的域TDTargetRO可以向ME发送“RTO成功和域完成”状态消息,并且所述消息可以由ME转发到目标RO。这种处理可以表述为:Completed domain TDTargetRO may send an "RTO successful and domain complete" status message to the ME, and the message may be forwarded by the ME to the target RO. This processing can be expressed as:
Def)Package_11={“domain completed”||IDRO_Target}K_RO-Pub||nonce_11def) Package_11 = {"domain completed" ||IDRO_Target }K_RO_Pub ||nonce_11
TDTarget RO→ME:TDTarget RO →ME:
Package_11||[SHA-X(Package_11||nonce_10)]K_TSIM_SIGNPackage_11||[SHA-X(Package_11||nonce_10)]K_TSIM_SIGN
等式26Equation 26
作为选择,ME可以向用户发送状态消息。其中举例来说,该消息可以显示在WTRU的屏幕上,并且该消息表明该电话现在准备好了注册和证书转出(roll-out)。Alternatively, the ME may send a status message to the user. Among other things, the message may be displayed on the WTRU's screen, and the message indicates that the phone is now ready for registration and certificate roll-out.
ME可以将该状态消息转发到成功完成了平台的重新配置的RO,并且准备注册TISM证书。TDRO_Target已经实现了“THSM_TDRO_LOAD_COMPLETE”(THSM_TDRO_加载_完成)状态。该消息可以表述为:The ME may forward this status message to the RO that successfully completed the reconfiguration of the platform and is ready to enroll for the TISM certificate. The TDRO _Target has achieved the "THSM_TDRO _LOAD_COMPLETE" (THSM_TDRO_LOAD_COMPLETE ) state. The message can be expressed as:
ME→Target RO:ME→Target RO:
Package_11||[SHA-X(Package_11||nonce_10)]K_TSIM_SIGNPackage_11||[SHA-X(Package_11||nonce_10)]K_TSIM_SIGN
等式27Equation 27
这个RTO协议可以充当用于将作为THSM所有者或用户的用户向提供预订服务的3G UMTS网络运营商注册的协议的前导,并且充当用于下载和提供用于验证和密钥协商(AKA)的证书的前导,这其中包括下载和提供共享秘密K以及用户标识IMSI。This RTO protocol may serve as a prelude to the protocol for registering the user as THSM owner or user with the 3G UMTS network operator offering subscription services, and as a protocol for downloading and provisioning for authentication and key agreement (AKA) The preamble of the certificate, which includes downloading and providing the shared secret K and the user identity IMSI.
用于公钥-私钥集的证书CertTSIM和CertRO可以在使用了它们的消息中递送。可替换地,RO域(TDRO)和RO可以从可信的第三方那里获取该TDRO和RO相应的证明。该获取处理可以表述如下:The certificates CertTSIM and CertRO for the public-private key set can be delivered in the message where they are used. Alternatively, the RO domain (TDRO ) and the RO can obtain the TDRO and the corresponding certification of the RO from a trusted third party. The acquisition process can be expressed as follows:
TTP→ME→TDRO:CertROTTP→ME→TDRO : CertRO
TTP→RO:CertTSIMTTP→RO: CertTSIM
等式28Equation 28
在另一个可替换实施方式中,RO证书CertRO可以从网络递送至ME,并且THSM证书CertTSIM可以从ME被递送到网络(在递送使用了这些证书的消息之前)。由此,在这里描述的加密后的消息之前可以发送通信,这些通信可以表述为:In another alternative embodiment, the RO certificate CertRO may be delivered from the network to the ME, and the THSM certificate CertTSIM may be delivered from the ME to the network (before delivering messages using these certificates). Thus, the encrypted messages described here can be preceded by communications that can be expressed as:
ME→RO:CertTSIM(在步骤9的消息被发送之前)ME→RO: CertTSIM (before the message in step 9 is sent)
RO→ME:CERTRO(在步骤13的消息被发送之前)RO→ME: CERTRO (before the message from step 13 is sent)
等式29Equation 29
对这其中的每一个可替换的证书递送方法来说,实体ID可以域使用了公共加密密钥的消息一起。For each of these alternative credential delivery methods, the entity ID can be included with the message using the public encryption key.
在另一个可替换实施方式中,使用对称密钥而不是公钥可以用于保护消息的置信度。在每一个实例中,发送方都可以产生对称密钥Ks,其中举例来说,该密钥是用伪随机数生成器(PRNG)产生的,并且发送方会使用这个密钥而不是公钥来保护消息的置信度。该对称加密密钥还可以与加密消息一起被发送到接收方,其中将会使用公钥来对其进行保护。由此,接收方能够使用其私钥来访问密钥Ks,然后则使用所述私钥来对消息进行解密。In another alternative, the use of symmetric keys instead of public keys may be used to protect the confidence of the message. In each instance, the sender can generate a symmetric key Ks , for example, using a pseudo-random number generator (PRNG), and the sender will use this key instead of the public key To protect the confidence of the message. The symmetric encryption key can also be sent to the recipient along with the encrypted message, where it will be protected using the public key. Thus, the recipient is able to use its private key to access the key Ks , which is then used to decrypt the message.
参考第二实施方式,THSM和ME有可能不同于第一实施方式中的THSM和ME。代替ME自身或是诸如MTE这类ME内部的可信实体的是,在ME引导的时候,THSM可以被配置成为ME的某些或所有代码执行完整性检查。作为选择,THSM还可以存储用于ME的某些或所有引导码。THSM未必被配置成向外界评估者证明ME的完整性。它可以被配置成在引导时执行对ME的完整性执行“本地”检查。Referring to the second embodiment, THSM and ME may be different from THSM and ME in the first embodiment. Instead of the ME itself or a trusted entity inside the ME such as the MTE, the THSM can be configured to perform integrity checks for some or all of the ME's code when the ME boots. Alternatively, the THSM may also store some or all of the boot code for the ME. THSMs are not necessarily configured to demonstrate the integrity of the ME to external assessors. It can be configured to perform a "local" check of the integrity of the ME at boot time.
ME的完整值可以在启动处理中使用,并且未必在RTO处理中使用。用meas_ME表示的ME的完整性量度代表了从ME的安全引导中产生的ME代码和配置状态,该完整性量度可以由THSM的DM域TEDM获取。THSM的TDDM可以检查meas_ME的有效性,但是它也有可能没有将其引入平台证明。The full value of ME may be used in the startup process, and not necessarily in the RTO process. The integrity metric of ME denoted by meas_ME represents the ME code and configuration state generated from the secure boot of ME, and the integrity metric can be obtained by DM domain TEDM of THSM. THSM's TDDM can check the validity of meas_ME, but it is also possible that it did not introduce it into the platform proof.
参考第四实施方式,举例来说,从TCG MPWG的意义上讲,该ME可以是可信ME。该ME可以包括移动可信模块(MTM),并且是可以得到信任的,这是因为它将MTM当做了提供用于存储、报告、测量、检验和实施的可信根的可信锚点。Referring to the fourth embodiment, for example, the ME may be a trusted ME in the sense of the TCG MPWG. The ME can include a Mobile Trusted Module (MTM) and can be trusted because it uses the MTM as a trusted anchor providing a root of trust for storage, reporting, measurement, verification and enforcement.
图4和4A示出的是用于远端所有权获取处理的示例呼叫流程图。例如,图4和4A示出的是在ME 402、TDDO 404、SDM 406、TD*Target_RO 408以及目标RO 410中的一个或多个设备之间进行的例示呼叫。图4和4A中的箭头可以代表呼叫的起点/目的地。Figures 4 and 4A illustrate example call flow diagrams for remote ownership acquisition processing. For example, FIGS. 4 and 4A illustrate exemplary calls made between one or more of ME 402 ,
如图2和3所示,SDM可以包括驻留在THSM中并且提供了部分DO功能的系统级域管理器。SDM可以依照特定于域的策略来监督和协调设备中的所有域的设置,以便确保所有这些域都会以符合SDP的方式工作和相互交互,以至于这些策略中的任何冲突都会由代表所述DO以及其他域的RO的SDM尝试调解。TDDO可以包括THSM中的强制设备所有者域。TDDO可以包括SDM,并且由此可以保持系统级域策略。MTE可以包括用于ME端的策略管理器MEPDM。该MEPDM可以执行ME上的策略管理器功能,但是有可能被THSM中的SDM监督。ME*Target_RO可以包括由已许可远端所有者实施的用于远端所有权的原始域设置。目标RO可以包括请求ME*Target_RO的所有权的远端所有者。As shown in Figures 2 and 3, the SDM may include a system-level domain manager that resides in the THSM and provides part of the DO functionality. The SDM can supervise and coordinate the settings of all domains in the device in accordance with domain-specific policies in order to ensure that all these domains will work and interact with each other in a manner compliant with the SDP, so that any conflicts in these policies will be resolved by the DO on behalf of the And the SDM of the RO of the other domain tries to mediate. A TDDO may include a Mandatory Device Owner field in THSM. TDDOs can include SDMs and thus can maintain system level domain policies. The MTE may include a policy manager MEPDM for the ME side. The MEPDM may perform the policy manager function on the ME, but may be supervised by the SDM in the THSM. The ME*Target_RO may include the original domain settings for remote ownership implemented by the licensed remote owner. A target RO may include a remote owner requesting ownership of the ME*Target_RO.
ME可以承担全部的MTM功能,由此,由已识别的远端所有者对ME上的域实施的远端获取所有权的处理是得到支持的。与参考第一实施方式描述的RTO相似;其不同主要是因为SDM经由MEPDM而为THSM和ME上的同一远端所有者拥有的这些域运用的最终策略控制。因此,对于同样拥有THSM上的域的相同所有者拥有的任何ME域来说,这些ME域的形成和管理必须以符合SDM的策略的方式进行。The ME can assume full MTM functionality, whereby remote acquisition of ownership of domains on the ME by identified remote owners is supported. Similar to the RTO described with reference to the first embodiment; the difference is mainly due to the final policy control exercised by the SDM via the MEPDM for these domains owned by the same remote owner on the THSM and ME. Therefore, for any ME Domains to be owned by the same owners who also own domains on the THSM, the formation and management of these ME Domains must be done in a manner consistent with the policies of the SDM.
仍旧参考图4,在41,ME 402可以完成基本码引导处理。在415,THSM可以安全地引导。该THSM可以加载DO域,SDM包括在内;其中该SDM可以提供:1)可用于域的构建的资源;和/或2)用户可接受的域的列表。在42,THSM可以完成其引导。在43,ME可以表明其引导完成。在这个处理过程中可以构建DM域,此外还可以构建可选的用户域(MEU),并且可用资源将被检查。DM域可以包括MEPDM,它提供了用于ME设备的域策略的初始配置和规定。依照MEDM的预先配置,该策略可以在用于ME域与THSM域之间具有公共远端所有者的这些域(例如一个在THSM上,另一个在ME上)的策略方面与SDP的策略相一致。Still referring to FIG. 4, at 41, the
仍旧参考图4,在431,具有预先配置的域的ME可以发送启动RTO的“引导完成”消息。该消息可以包括关于DM域策略以及ME中的可用资源的显式信息。在44,这时可以发送要求启动RTO的请求,其中该请求包含了目标域规划。在455,TD*Target_RO 408可以确定接受还是拒绝RTO启动请求。在45处可以发送表明是否应该启动RTO的消息。可替换地,在456,RTO可以由TD*Target_RO 408发起。在451,TD*Target_RO 408可以发送“启动RTO最终域规划的意愿”。Still referring to FIG. 4 , at 431 the ME with the pre-configured domain may send a "Boot Complete" message that initiates the RTO. This message may include explicit information about DM domain policies as well as available resources in the ME. At 44, a request to initiate an RTO may now be sent, where the request includes a target domain plan. At 455, TD*Target_RO 408 may determine whether to accept or deny the RTO start request. A message may be sent at 45 indicating whether an RTO should be initiated. Alternatively, the RTO may be initiated by the TD*Target_RO 408 at 456 . At 451, the TD*Target_RO 408 may send a "Wish to Initiate RTO Final Domain Planning".
SDM可以通过评估THSM的系统级域策略(SDP),并且确定在ME域上施加或分配哪些限制,从而对ME引导消息做出反应。这些策略限制可以包括:依照域相关联的远端所有者,ME和THSM上的哪些域是可允许的。SDM可以确定ME允许将哪些系统级资源用于具有THSM上的域的相同远端所有者拥有的域,这其中包括那些已经为其所知的资源。MEPDM可以经由等式7中的消息接收该信息。该SDM还可以包括针对其基本策略的策略限制以及针对其资源列表的可允许资源。在MEPDM接收到信息之后,它可以在做出和实施关于资源以及ME上的域的管理方面的决定的时候运用某些权限,而不需要从SDM那里获取用于所有这些决定的许可。The SDM can react to ME bootstrap messages by evaluating the THSM's System Level Domain Policy (SDP) and determining what restrictions to impose or assign on the ME domain. These policy restrictions may include which domains are permissible on the ME and THSM according to the domain's associated remote owner. The SDM can determine which system-level resources the ME is allowed to use for domains owned by the same remote owner as the domain on the THSM, including those already known to it. The MEPDM may receive this information via the message in Equation 7. The SDM may also include policy restrictions for its base policy and allowable resources for its resource list. After the MEPDM has received the information, it can exercise certain authorities in making and implementing decisions regarding the management of resources and domains on the ME without needing permission from the SDM for all these decisions.
仍旧参考图4,该处理可以在465处继续进行。在465,下列各项可以被检查和/或评估:SDP、可用资源、和/或可接受域和/状态。在46可以发送“同意启动”信号。在47可以发送用于TPIA、TPES、MPID和MPES的请求。在475,举例来说,SDM 406可以在每一个域上的PCR范围中收集/级联来自现有域的完整性证明、和/或收集和/或级联TPES信息。Still referring to FIG. 4 , the process may continue at 465 . At 465, the following may be checked and/or evaluated: SDP, available resources, and/or acceptable domains and/or status. An "agree to start" signal may be sent at 46 . Requests for TPIA, TPES, MPID and MPES may be sent at 47. At 475,
在471,用于MPID和MPES的请求可以被发送。在476,MTE可以处理针对用于MPID和MPES的请求的响应。在48,MPID和MPES可以与信任证明和签名密钥一起发送。在481,TPIA、TPES、MPID以及MPES可以被SDM 406发送至TE*Target_RO 408。在485,THSM可以从MPID(原始数据)中计算出摘要MPIA,并且检查该MPIA。如果可接受,则可以将摘要MPIA发送到RO。在49,用于TPIA||TPES||MPIA||MPES||目的||RTO的请求可被发送。At 471, requests for MPID and MPES can be sent. At 476, the MTE may process the response to the request for MPID and MPES. At 48, the MPID and MPES may be sent along with the proof of trust and signing key. At 481 , TPIA, TPES, MPID, and MPES may be sent by
参考图4A并且继续RTO处理,在410,TPIA||TPES||MPIA||MPES||目的||RTO消息可以被发送至目标RO 410。在418,举例来说,目标RO 410可以执行一个或多个下列处理:检查TPIA、TPES、MPIA、MPES以及目的;对照RIMTDRO来确定原始域的可信度;检查DP的可接受性;或是创建CONFIG来构造完整的域状态。Referring to FIG. 4A and continuing with the RTO process, at 410 a TPIA||TPES||MPIA||MPES||purpose||RTO message may be sent to the target RO 410. At 418, for example, the target RO 410 may perform one or more of the following processes: check TPIA, TPES, MPIA, MPES, and destination; determine origin domain trustworthiness against RIMTDRO; check DP acceptability; or Create CONFIG to construct the complete domain state.
上述实施方式的一个可替换实施方式是由TD*Target_RO 408从SDM那里请求关于ME的可信度而不是MPIA和MPES的简单指示;在这种情况下,SDM提供TPIA、TPES和ME可信度指示。但是,SDM仍旧请求和接收来自MTE的MPIA和MPES。An alternative to the above is for the TD*Target_RO 408 to request from the SDM a simple indication of the trustworthiness of the ME instead of MPIA and MPES; in this case the SDM provides TPIA, TPES and ME trustworthiness instruct. However, the SDM still requests and receives MPIA and MPES from the MTE.
仍旧参考图4a,在411,消息CONFIG||DP||RIMTDRO||RO可以被发送。在412,CONFIG||DP||RIMTDRO||RO消息可以被传送。在428,这时可以构建和配置域,并且可以对照RIMTDRO来检查完整性。此外,TD*Target_RO的所有权可以被获取,由此将其转换成TDTarget_RO。在413,这时可以发送域完成消息。在414,域完成消息有可以被传送。Still referring to FIG. 4a, at 411 a message CONFIG||DP||RIMTDRO ||RO may be sent. At 412, a CONFIG||DP||RIMTDRO ||RO message may be transmitted. At 428, the domain can now be built and configured, and integrity can be checked against the RIMTDRO . Additionally, ownership of TD*Target_RO can be taken, thereby converting it to TDTarget_RO . At 413, a domain complete message may be sent at this point. At 414, a domain complete message may be transmitted.
图5和5A示出的是使用了全部证明(例如与第四实施方式相关)的远端所有权获取处理的示例呼叫流程图。举个例子,图5和5A示出的是在SDM502、TDDO 504、MEPDM 506、ME*Target_RO 508以及目标RO 510中的一个或多个之间进行的示例呼叫。图5和5A的箭头可以代表呼叫的起点/目的地。在51,基本码引导完成消息可被发送。作为响应,在515,THSM可以安全引导和加载DO域,这其中包括SDM。在52,THSM引导完成消息可被发送。作为响应,在525,ME可以安全地引导,这其中可以包括加载DM域,MEPDM也包含在其中;以及检查可用资源。MEPDM可以可以提供初始配置,该配置规定了与SDP以及可用资源一致的域策略。在53,可以发送ME安全引导完成的消息,其中该消息包括DM域(策略信息)以及ME中的可用资源。在531,“ME引导完成”消息可以被传送至SDM 502。在535,举例来说,SDM 502可以评估系统级策略,并且为ME确定许可的域、资源和策略限制。在54,可以发送一个消息,其中该消息提供了关于域策略限制和/或许可资源的信息。在545,策略限制可以附加于基本策略,如有需要,资源列表也是可以修订的。Figures 5 and 5A show example call flow diagrams for remote title acquisition processing using full proofs (eg, in relation to the fourth embodiment). As an example, FIGS. 5 and 5A illustrate an example call between one or more of
图5和5A中的元素55-511可以类似于图4和4A所示的元素45-414。关于值MPIA和MPES的评估可以类似于等式14-19中的评估。ME可以具有MTM能力,并且它可以被配置成自己计算摘要MPIA,而不仅仅是原始数据MPID。由SDM传达的经过更新的策略限制可被检查,从而不会实现被禁止的域或域策略。策略检查和评估可以由MEPDM执行。Elements 55-511 in FIGS. 5 and 5A may be similar to elements 45-414 shown in FIGS. 4 and 4A. Evaluations for the values MPIA and MPES may be similar to those in Equations 14-19. The ME may be MTM capable and it may be configured to compute the summary MPIA itself, not just the raw data MPID. The updated policy restrictions communicated by the SDM can be checked so that prohibited domains or domain policies are not implemented. Policy checking and evaluation can be performed by MEPDM .
在55,这时可以发送要求启动RTO的请求,其中该请求可以包括目标域规划。在555,MEPDM可以决定接受还是拒绝RTO请求。在551,可以发送表明是否应该启动RTO的消息。在一个可替换实施方式中,在556,ME目标可以发起启动RTO的意愿。在56,可以发送启动RTO消息的意愿。在565,下列各项将被检查和/或评估:1)扩展的域策略;和/或2)依照扩展策略的可用资源、可接受的域和状态。在561可以发送表明启动RTO的处理可接受的消息。在57,从ME域集合中要求MPIA和MPES的请求可以被发送。在575,可以执行在每一个域上的PCR范围中收集和级联来自已有域的完整性证明(MPIA),也可以执行MPES信息的收集和级联。在58,MPIA和MPES可以被发送。在59,MPIA||MPES||目的||RTO请求可以被发送(消息的完整性和置信度可以用经过认证的公钥/私钥来保护)。在595,举例来说,目标RO 510可以执行下列各项中的一项或多项:检查MPIA、MPES和目的;对照RIMTSIM来确定原始域的可信度;检查DP的可接受性;或是通过创建CONFIG来构建完整的域状态。在514,消息CONFIG||DP||RIMTSIM||RO可以被发送。在515,域可以被构建和配置,并且可以对照RIMTDRO来检查完整性。此外,ME*Target_RO的所有权可以被获取,由此将其转换成METarget_RO。在511,域完成消息可以被发送(带有签名,完整性受到保护)。ME可以直接与目标RO通信,由此不会使用到如图3和3A所示的消息传送,并且可以减少消息的数量。在图5中并未显示ME与目标RO之间的消息传递中的公钥/私钥交换所需要的证书的细节,以及与用于原始工具可信度的RIM证书相关的细节。At 55, a request to initiate an RTO can then be sent, where the request can include a target domain plan. At 555, the MEPDM may decide to accept or reject the RTO request. At 551, a message may be sent indicating whether an RTO should be initiated. In an alternative embodiment, at 556, the ME target may initiate a willingness to initiate an RTO. At 56, a willingness to initiate an RTO message may be sent. At 565, the following will be checked and/or evaluated: 1) the extended domain policy; and/or 2) the available resources, acceptable domains and status according to the extended policy. A message may be sent at 561 indicating that the process of initiating the RTO is acceptable. At 57, a request for MPIA and MPES from the ME domain set may be sent. At 575, collecting and concatenating integrity attestations (MPIAs) from existing domains in the PCR range on each domain and also collecting and concatenating MPES information can be performed. At 58, MPIA and MPES can be sent. At 59, an MPIA||MPES||purpose||RTO request can be sent (the integrity and confidence of the message can be protected with authenticated public/private keys). At 595, for example, the target RO 510 may perform one or more of the following: check MPIA, MPES, and purpose; determine origin domain trustworthiness against RIMTSIM ; check DP acceptability; or The complete domain state is built by creating a CONFIG. At 514, a message CONFIG||DP||RIMTSIM ||RO may be sent. At 515, the domain can be built and configured, and integrity can be checked against the RIMTDRO . Additionally, ownership of ME*Target_RO can be taken, thereby converting it to METarget_RO . At 511, a domain complete message can be sent (signed, integrity protected). The ME can directly communicate with the target RO, thereby not using the message transmission as shown in Figs. 3 and 3A, and the number of messages can be reduced. The details of the certificates required for the public/private key exchange in the messaging between the ME and the target RO, and details related to the RIM certificate for the authenticity of the original tool, are not shown in Fig. 5 .
图6示出的是THSM的示例状态定义、变换以及控制点定义。举个例子,在这里定义了M2M通信标识模块(MCIM)的生命周期,其中该模块的定义和基本功能是在PCT专利申请WO 2009/092115(PCT/US2009/031603)中定义的。THSM可以改进和概括包括状态定义和变换在内的MCIM的功能和特征。Figure 6 shows an example state definition, transition and control point definition for THSM. As an example, the life cycle of the M2M Communication Identity Module (MCIM) is defined here, where the definition and basic functions of the module are defined in PCT patent application WO 2009/092115 (PCT/US2009/031603). THSM can improve and generalize the functions and features of MCIM including state definitions and transitions.
在601,THSM可以处于引导前状态。第一用户可以为THSM通电,THSM可以安全地引导,并且该THSM可以处于状态602。在602,DM和DO可以存在于原始状态中。DM域可以从预先配置的文件中构建,并且THSM可以处于状态606。在606,THSM处于可以加载TDDM的引导后状态2,在该状态中,TDDM可以被加载。从606开始,DO域可以从预先配置或下载的文件中构建,从而将THSM置于状态605。在605,THSM可以处于引导后状态3,在该状态中可以构建TDDO域,但是不能加载TDU或TDRO。从状态605开始,DO域(SDM)可以加载用户域,由此将THSM置于状态604。在604,THSM可以处于引导后状态2a,在该状态中可以加载TDU,但是不能加载RO域。从状态605开始,原始RO域可以根据SDP来构建,由此将THSM置于状态707。在707,THSM可以处于引导后状态7,在该状态中,TDRO和TDDO已被加载,但是不能加载TDU。从状态607开始,TDDO(SDM)可以加载TDU,由此将THSM置于状态608。在608,THSM可以加载DO、DU和RO域。At 601, the THSM can be in a pre-boot state. The first user may power on the THSM, the THSM may boot safely, and the THSM may be in
从状态601开始,用户可以通电并且THSM可以安全地引导,由此将THSM置于状态603。在603,THSM可以用已存储的配置来加载,其中已存储的配置是最近一次通电之前的配置。从状态603开始可以执行引导后的事务处理,其中该事务处理将会改变配置,由此将THSM置于状态610。在610,THSM处于一种将一个或多个先前活动的状态全都变为不活动的状态。与从603到达状态610的处理相似。THSM可以处于状态609,在该状态中,THSM具有一个或多个活动的域。从状态609开始,由于配置变化事件而有可能导致进行变换,从而将THSM再次置于状态610。From
在状态604、605、607和608,THSM可以通过使用新的策略和/或可执行代码或是针对不活动状态的变换而被重新配置。此外,在状态605中可以存储SDP。In states 604, 605, 607, and 608, the THSM may be reconfigured using new policies and/or executable code or transitions to inactive states. Additionally, in
在第一种域管理方法中,来自域所有者的策略即系统级域策略(SDP)有可能是非常有限制性的和“静态”的,并且有可能具有与新域活动或目的有关的硬性规定。这些策略可能有助于缓解向RO传递每一个新域项或已有域更新的需要。In the first approach to domain management, the policy from the domain owner, the System Level Domain Policy (SDP), has the potential to be very restrictive and "static", and potentially has hard and fast rules related to new domain activity or purpose. Regulation. These policies may help alleviate the need to communicate to the RO each new domain entry or update of an existing domain.
在第二种域管理方法中,SDP有可能限制较少,并且在活动和目的方面提供了更多的灵活性。每一个新域项和每一个域变化都可以被报告给已有域所有者。这有可能导致产生更为动态的策略实施系统,在该系统中,在平台与RO之间可以进行初始和跟进的协商。In the second approach to domain management, SDP has the potential to be less restrictive and offers more flexibility in terms of activities and purposes. Every new domain entry and every domain change can be reported to existing domain owners. This has the potential to lead to a more dynamic policy enforcement system where initial and follow-up negotiations can take place between the platform and the RO.
参考第一种域管理方法,SDP可以规定毫无例外在预先配置的列表中许可的域。该列表可以包括与RO的类型以及许可的数量(针对每一种类型)相关的信息。一旦RO建立了它们的域,那么该列表还可以包括RO可提供的服务类型。所预期的RO可以是满足列表所指示的判据的RO。作为RTO处理的一部分,例如,如等式9所示,在这里可以向RO提醒诸如列表和策略限制之类的条件。一旦接收到SCARD,该RO就可以独立决定其是否希望是所论述的平台或设备上的利益相关者。发送给RO的条件可以包括域类型及其目的,而不是任何其他RO在列表中的实际名称,由此保护其他RO的标识。如果RO决定完成RTO,那么可以确保该RO、当前在平台上活动的其他RO或是将来将要活动的其他任何RO不允许偏离所述策略。结果,在这里可能不需要或者有可能不会向RO提醒可能发生的后续RTO。Referring to the first domain management method, SDP can specify domains that are allowed without exception in a pre-configured list. The list may include information related to the type of RO and the number of licenses (for each type). The list may also include the types of services the ROs can provide once the ROs have established their domains. An expected RO may be an RO that satisfies the criteria indicated by the list. As part of RTO processing, for example, as shown in Equation 9, conditions such as list and policy restrictions may be alerted here to the RO. Once the SCARD is received, the RO can independently decide whether it wishes to be a stakeholder on the platform or device in question. The conditions sent to the RO may include the domain type and its purpose, rather than the actual name of any other RO in the list, thereby protecting the identity of the other RO. If the RO decides to complete the RTO, it can be ensured that the RO, other ROs currently active on the platform, or any other ROs that will be active in the future are not allowed to deviate from the stated policy. As a result, the RO may not need or may not be alerted to possible subsequent RTOs here.
参考第二种域管理方法,其中在RTO处理过程中只能执行相对较宽的限制和允许更多交互的策略,例如,所述相对较宽的限制可以是哪些远端所有者是在没有识别任何特定RO类型的情况下得到许可的,所述交互可以是用于从RO或SDM的更多信息的请求或某些协商。此外,当域配置发生变化时,在SDM与所有RO之间还有可能存在正在进行的合作。由此,作为RO/SDM动态活动的一部分,在这里有可能发生初始甚至跟进的协商。Referring to the second domain management approach, where only relatively broad restrictions and policies that allow more interaction can be enforced during RTO processing, for example, the relatively wide restrictions can be which remote owners are on without identifying In the case of any particular RO type, the interaction may be a request or some negotiation for more information from the RO or SDM. In addition, there may be ongoing cooperation between the SDM and all ROs when the domain configuration changes. Thus, initial and even follow-up negotiations may take place here as part of the RO/SDM dynamic.
作为RTO处理的一部分,在这里可以为RO给出其需要的给定证明和策略条件信息,例如TPIA、TPES和SCARD,其中与第一种方法的情形相比,所述信息可以包括更多与配置和可信度相关的通用信息。根据已有的域配置,目标RO可以决定是否继续执行RTO。除非目标RO立即决定不获取所有权,否则随后而来的将会是与SDM的协商处理。例如,SDM可以向目标RO要求哪些域类型以及伴随的服务是可以在目标RO域活动的时候是活动的,或者在其不支持的域类型将要活动的情况下继续进行哪些过程。举个例子,当某些其他域类型甚至某些其他RO拥有的域活动或是将要变为活动的时候,RO有可能需要使其自己的域处于不活动状态,或者它有可能需要其保持活动,但是处于减少的容量或能力。SDM还可以向RO请求其应被提醒的事件发生。这些事件可以包括其不支持的域类型变为活动或不活动。在自身的域活动的时候,RO有可能需要完全阻止其他域类型或是某些其他所有者保持的域执行任何活动。As part of the RTO process, the RO can be given the given certification and policy condition information it needs, such as TPIA, TPES and SCARD, wherein compared with the case of the first method, the information can include more information related to General information related to configuration and trustworthiness. According to the existing domain configuration, the target RO can decide whether to proceed with the RTO. Unless the target RO immediately decides not to take ownership, a negotiation process with the SDM will follow. For example, the SDM can ask the target RO which domain types and accompanying services can be active when the target RO domain is active, or what processes to proceed in case a domain type it does not support will be active. For example, the RO may need to make its own domain inactive, or it may need it to remain active, when some other domain type or even some other RO-owned domain is active or about to become active , but in reduced capacity or capability. The SDM can also request the occurrence of events to the RO that it should be reminded of. These events can include a domain type becoming active or inactive for which it does not support. An RO may need to completely prevent other domain types, or domains held by some other owner, from performing any activity while its own domain is active.
SDM可以决定接受或拒绝这些条件。虽然是结合一组很宽的策略需求工作的,但是SDM有可能具有自由度和语义能力来决定接受来自RO的要求是否可能仍旧符合“静态”系统域策略(SDP)的文字或意图。SDM can decide to accept or reject these conditions. While working in conjunction with a broad set of policy requirements, it is possible for the SDM to have the freedom and semantic ability to decide whether accepting a request from an RO might still conform to the letter or intent of the "static" System Domain Policy (SDP).
图7示出的是RO域可能实现的示例状态以及可能导致在动态管理的环境中发生变换的条件。在701,其中有可能存在一个空状态,例如RO有可能尚未构建。从701开始,原始RO域可以依照SDP而被构建,由此将RO域置于状态702。从702开始可以执行RTO处理,这其中包括RO获取TPIA、TPES和SCARD。更进一步,RO可以接受RTO的条件,由此将RO域置于状态703。从703开始,新的活动的域被确定存在策略冲突,并且作为响应,RO域的功能将会减少或是使之处于不活动状态,由此将RO域置于状态704。此外,从703开始,RO域可以接收经过更新的策略/配置变化,由此导致RO域具有经过修改的配置和/或经过更新的策略限制。从706开始,新的活动的域被确定存在策略冲突,并且作为响应,RO域的功能将会减少或是使之处于不活动状态,由此将RO域置于状态704。此外从703开始,新的软件组件可以经由下载或RTO而被引入,从而导致RO域处于经过修改/扩展的状态,并且由此将RO域置于705。从705开始,新的活动的域被确定存在策略冲突,并且作为响应,所述RO域的功能将会减少或者使之处于不活动状态,由此将RO域置于状态704。Figure 7 shows example states that an RO domain may achieve and the conditions that may result in transitions in a dynamically managed environment. At 701, there may be an empty state, eg RO may not have been constructed. From 701 , the original RO domain can be constructed according to the SDP, thereby putting the RO domain in
如711所示,处于状态702、703、704、705或706的RO域有可能为空,例如被DO、RO等等删除。如741所示,举例来说,通过解决导致RO域移动到状态704的冲突,不活动/功能减少的RO域可以移动到状态703、705或706。如751所示,处于状态705的RO域可以移动到状态703、704或706。如761所示,处于状态706的RO域可以移动到状态703、705或706。As shown in 711, the RO domain in
对于RO域的管理而言,作为动态域管理的一部分而可以允许的是在事件出现的时候对变更的需求进行协商。例如,RO有可能决定由另一个RO提供并且先前不能支持的某种服务现在因为确定其不再需要与该服务竞争而成为可允许的。商业模型随着时间的变化有可能影响到所预期的RO的协商对策或策略。使用动态策略结构的SDP可以适应这种策略变更。What may be allowed as part of dynamic domain management for the management of RO domains is the negotiation of changing requirements as events arise. For example, it is possible for an RO to decide that a certain service provided by another RO and previously unable to support is now allowable because it determines that it no longer needs to compete with that service. Changes in the business model over time may affect the expected RO negotiation strategy or strategy. An SDP using a dynamic policy structure can accommodate such policy changes.
在某些服务中可以形成优选的漫游伙伴关系或RO的闭合群组,其中举例来说,所述服务可以是与智能记账相结合的M2M地理追踪,但其并不局限于此。这种由不同运营商在彼此之间提供相似或不同服务伙伴的分组服务可能导致产生优选的闭合群组。这种优选的服务、运营商或是这二者的群组可以作为绑定服务或整套服务而被提供给设备用户。Preferred roaming partnerships or closed groups of ROs may be formed in certain services such as, but not limited to, M2M geo-tracking combined with smart billing. This grouping of services by different operators offering similar or different service partners among each other may result in preferred closed groups. This preferred service, operator, or group of both may be offered to the device user as a bundled service or a package of services.
在第一示例中,当分组在世界各地被运送时,所述分组可以被追踪。数以百万计的这种地理追踪设备都是可以使用的。当所述分组穿越大洲时,不同国家的不同运营商将会为其提供连接。由此,为了获取连接,用户有可能需要预订多个漫游配置文件。由于每一个域都是由远端运营商拥有和管理的,因此,这些跨越了不同远端运营商的漫游配置文件将会按照域间策略而被管理。此外,通过实施这些策略,还可以支持针对新的服务供应商的完全切换,而不是支持基于漫游的解决方案。In a first example, packets can be tracked as they are transported around the world. Millions of such geo-tracking devices are available. Different operators in different countries will provide connections for the packets as they traverse continents. Thus, a user may need to subscribe to multiple roaming profiles in order to obtain connectivity. Since each domain is owned and managed by the remote operator, these roaming profiles across different remote operators will be managed according to inter-domain policies. In addition, by implementing these policies, it is also possible to support a full switchover to a new service provider, rather than supporting a roaming-based solution.
在第二示例中,描述了智能计量运营商与地理追踪运营商之间的合作伙伴关系。这些域可以由不同的运营商拥有和操作。由于商业伙伴关系或用户偏好,这些域可以被合并在一起来支持联合配置文件。对基于诸如劳动力、存储或停泊之类的资源使用的记账处理来说,智能记账可以与分组的追踪一起使用。这种同时存在落入不同类别的服务的范例可以运用域间策略管理来加以支持。In a second example, a partnership between a smart metering operator and a geo-tracking operator is described. These domains can be owned and operated by different operators. Due to business partnerships or user preferences, these domains can be merged together to support federated profiles. Smart billing can be used with grouped tracking for billing processes based on resource usage such as labor, storage or berthing. This paradigm of co-existing services falling into different classes can be supported using inter-domain policy management.
域间策略管理器(IDPM)可以管理那些支配了域的群组行为的策略。每一个RO可以在RTO处理过程中下载域间策略(IDP)。IDP可以用证书来验证,其中该证书是由每一个RO签名的。这些证书可以与IDP一起发布。可替换地,这些策略可以由外部服务经销商认证和下载。有兴趣创建首选运营商列表的设备用户或设备所有者可以创建IDP。通过评估候选策略的可接受交集或是用以选择IDP的优先级、以及随后实施作为结果而产生的策略,IDPM可以对这些策略进行处理。The Inter-Domain Policy Manager (IDPM) manages the policies that govern group behavior for domains. Each RO can download the Inter-Domain Policy (IDP) during the RTO process. The IDP can be authenticated with a certificate signed by each RO. These certificates can be issued together with the IDP. Alternatively, these policies can be authenticated and downloaded by an external service reseller. Device users or device owners interested in creating a preferred carrier list can create an IDP. IDPM can process these policies by evaluating an acceptable intersection of candidate policies or priorities to select an IDP, and then implementing the resulting policies.
可替换地,IDPM既可以作为SDM的功能之一而被添加到SDM中,也可以作为能够加载(构建)或下载到THSM上的独立实体而被添加SDM中。Alternatively, the IDPM can be added to the SDM as one of the functions of the SDM, or can be added to the SDM as an independent entity that can be loaded (built) or downloaded to the THSM.
作为证明协议的一部分,TDRO可以向RO发送TPIA、TPES和SCARD的散列,而不是全部发送这些量度。RO可以自身或者借助于TTP而具有用以检验这些散列并由此评定TDRO以及周围系统的有效性的手段。该方法与PCT专利申请WO 2009/092115(PCT/US2009/031603)中规定的半自动检验(SAV)相似。TPIA、TPES和SCARD量度中的任何一个或两个量度可以在证明阶段期间被发出。As part of the attestation protocol, the TDRO may send hashes of TPIA, TPES, and SCARD to the RO instead of all of these metrics. The RO may itself or with the help of the TTP have the means to verify these hashes and thereby assess the validity of the TDRO and surrounding systems. This method is similar to the Semi-Automatic Verification (SAV) specified in PCT patent application WO 2009/092115 (PCT/US2009/031603). Either or both of the TPIA, TPES and SCARD metrics may be issued during the certification phase.
THSM可以作为ME的一部分而被整体嵌入。对用于此类设备的RTO处理来说,由于该处理摆脱了ME与THSM之间的接口,因此该处理是可以简化的。THSM can be integrally embedded as part of ME. The processing of the RTO for such devices can be simplified since the processing is freed from the interface between the ME and the THSM.
虽然本发明的特征和元素以特定的结合进行了描述,但每个特征或元素可以在没有其他特征和元素的情况下单独使用,或在与或不与其他特征和元素结合的各种情况下使用。这里提供的方法或流程图可以在由通用计算机或处理器执行的计算机程序、软件或固件中实施,其中所述计算机程序、软件或固件是以有形的方式包含在计算机可读存储介质中的。关于计算机可读存储介质的实例包括只读存储器(ROM)、随机存取存储器(RAM)、寄存器、缓冲存储器、半导体存储设备、内部硬盘和可移动磁盘之类的磁介质、磁光介质以及CD-ROM磁盘和数字多功能光盘(DVD)之类的光介质。Although the features and elements of the present invention have been described in particular combinations, each feature or element can be used alone without the other features and elements or in various combinations with or without the other features and elements use. The methods or flowcharts provided herein can be implemented in a computer program, software or firmware executed by a general purpose computer or processor, wherein the computer program, software or firmware is tangibly embodied in a computer readable storage medium. Examples of computer-readable storage media include read-only memory (ROM), random-access memory (RAM), registers, buffer memory, semiconductor storage devices, magnetic media such as internal hard disks and removable disks, magneto-optical media, and CDs - Optical media such as ROM discs and Digital Versatile Discs (DVD).
举例来说,恰当的处理器包括:通用处理器、专用处理器、常规处理器、数字信号处理器(DSP)、多个微处理器、与DSP核相关联的一个或多个微处理器、控制器、微控制器、专用集成电路(ASIC)、现场可编程门阵列(FPGA)电路、任何一种集成电路(IC)和/或状态机。Suitable processors include, by way of example, a general purpose processor, a special purpose processor, a conventional processor, a digital signal processor (DSP), multiple microprocessors, one or more microprocessors associated with a DSP core, Controller, microcontroller, application specific integrated circuit (ASIC), field programmable gate array (FPGA) circuit, any kind of integrated circuit (IC) and/or state machine.
与软件相关联的处理器可以用于实现一个射频收发机,以便在无线发射接收单元(WTRU)、用户设备(UE)、终端、基站、无线电网络控制器(RNC)或任何主机计算机中加以使用。WTRU可以与采用硬件和/或软件形式实施的模块结合使用,例如相机、摄像机模块、可视电话、扬声器电话、振动设备、扬声器、麦克风、电视收发机、免提耳机、键盘、蓝
Claims (86)
Translated fromChinesePriority Applications (1)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| CN201710165897.7ACN107332816A (en) | 2009-04-20 | 2010-04-20 | The system of multiple domains and domain ownership |
Applications Claiming Priority (5)
| Application Number | Priority Date | Filing Date | Title |
|---|---|---|---|
| US17101309P | 2009-04-20 | 2009-04-20 | |
| US61/171,013 | 2009-04-20 | ||
| US22655009P | 2009-07-17 | 2009-07-17 | |
| US61/226,550 | 2009-07-17 | ||
| PCT/US2010/031739WO2010123890A1 (en) | 2009-04-20 | 2010-04-20 | System of multiple domains and domain ownership |
Related Child Applications (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710165897.7ADivisionCN107332816A (en) | 2009-04-20 | 2010-04-20 | The system of multiple domains and domain ownership |
Publications (2)
| Publication Number | Publication Date |
|---|---|
| CN102405630Atrue CN102405630A (en) | 2012-04-04 |
| CN102405630B CN102405630B (en) | 2017-04-12 |
Family
ID=42245587
Family Applications (2)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201080017547.2AExpired - Fee RelatedCN102405630B (en) | 2009-04-20 | 2010-04-20 | A system of multiple domains and domain ownership |
| CN201710165897.7APendingCN107332816A (en) | 2009-04-20 | 2010-04-20 | The system of multiple domains and domain ownership |
Family Applications After (1)
| Application Number | Title | Priority Date | Filing Date |
|---|---|---|---|
| CN201710165897.7APendingCN107332816A (en) | 2009-04-20 | 2010-04-20 | The system of multiple domains and domain ownership |
Country Status (7)
| Country | Link |
|---|---|
| US (2) | US9807608B2 (en) |
| EP (2) | EP2422503B1 (en) |
| JP (4) | JP5643292B2 (en) |
| KR (1) | KR101378109B1 (en) |
| CN (2) | CN102405630B (en) |
| TW (2) | TWI435584B (en) |
| WO (1) | WO2010123890A1 (en) |
Cited By (8)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104823408A (en)* | 2012-12-06 | 2015-08-05 | 高通股份有限公司 | Management of Network Devices Using Authorization Tokens |
| CN105493099A (en)* | 2013-07-01 | 2016-04-13 | 亚马逊技术有限公司 | Cryptographically attested resources for hosting virtual machines |
| CN105830477A (en)* | 2013-08-12 | 2016-08-03 | 哥莱菲特软件公司 | Operating system integrated domain management |
| CN106330813A (en)* | 2015-06-16 | 2017-01-11 | 华为技术有限公司 | A method, device and system for processing authorization |
| CN108140092A (en)* | 2015-12-02 | 2018-06-08 | 密码研究公司 | Equipment with multiple trusted roots |
| CN109450519A (en)* | 2018-10-30 | 2019-03-08 | 航天东方红卫星有限公司 | A kind of spaceborne total digitalization USB answering machine |
| US10230717B2 (en) | 2013-11-21 | 2019-03-12 | Cis Maxwell, Llc | Managed domains for remote content and configuration control on mobile information devices |
| CN110035110A (en)* | 2013-02-15 | 2019-07-19 | 康维达无线有限责任公司 | Cross-domain services layer resource is propagated |
Families Citing this family (62)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN102355466B (en) | 2004-04-30 | 2016-01-20 | 黑莓有限公司 | The system and method for deal with data transmission |
| US7614082B2 (en) | 2005-06-29 | 2009-11-03 | Research In Motion Limited | System and method for privilege management and revocation |
| US9418040B2 (en)* | 2005-07-07 | 2016-08-16 | Sciencelogic, Inc. | Dynamically deployable self configuring distributed network management system |
| US9807608B2 (en) | 2009-04-20 | 2017-10-31 | Interdigital Patent Holdings, Inc. | System of multiple domains and domain ownership |
| US8923519B2 (en)* | 2009-05-29 | 2014-12-30 | Alcatel Lucent | Method of efficient secure function evaluation using resettable tamper-resistant hardware tokens |
| WO2011025876A1 (en)* | 2009-08-27 | 2011-03-03 | Interdigital Patent Holdings, Inc. | Method and apparatus for solving limited addressing space in machine-to-machine (m2m) environments |
| WO2011030248A2 (en)* | 2009-09-11 | 2011-03-17 | Koninklijke Philips Electronics N.V. | Method and system for restoring domain management |
| JP5571796B2 (en) | 2009-10-15 | 2014-08-13 | インターデイジタル パテント ホールディングス インコーポレイテッド | Registration and credential rollout to access subscription services |
| KR101580353B1 (en) | 2010-03-02 | 2015-12-23 | 인터디지탈 패튼 홀딩스, 인크 | Migration of credentials and/or domains between trusted hardware subscription modules |
| US20120079559A1 (en)* | 2010-04-02 | 2012-03-29 | Interdigital Patent Holdings, Inc. | Methods for policy management |
| WO2012023050A2 (en) | 2010-08-20 | 2012-02-23 | Overtis Group Limited | Secure cloud computing system and method |
| US8495731B1 (en)* | 2010-10-01 | 2013-07-23 | Viasat, Inc. | Multiple domain smartphone |
| US9113499B2 (en) | 2010-10-01 | 2015-08-18 | Viasat, Inc. | Multiple domain smartphone |
| US8270963B1 (en) | 2010-10-01 | 2012-09-18 | Viasat, Inc. | Cross domain notification |
| US8458800B1 (en) | 2010-10-01 | 2013-06-04 | Viasat, Inc. | Secure smartphone |
| US8924715B2 (en) | 2010-10-28 | 2014-12-30 | Stephan V. Schell | Methods and apparatus for storage and execution of access control clients |
| US8555067B2 (en) | 2010-10-28 | 2013-10-08 | Apple Inc. | Methods and apparatus for delivering electronic identification components over a wireless network |
| CN102025725B (en)* | 2010-11-22 | 2016-12-07 | 北京百卓网络技术有限公司 | Safety system of telecommunication service environment and its implementation |
| JP5763780B2 (en) | 2010-12-06 | 2015-08-12 | インターデイジタル パテント ホールディングス インコーポレイテッド | Smart card with domain trust evaluation function and domain policy management function |
| EP2469898A1 (en)* | 2010-12-23 | 2012-06-27 | Alcatel Lucent | Enabling change of subscriber identity module |
| US9450759B2 (en) | 2011-04-05 | 2016-09-20 | Apple Inc. | Apparatus and methods for controlling distribution of electronic access clients |
| US9009475B2 (en)* | 2011-04-05 | 2015-04-14 | Apple Inc. | Apparatus and methods for storing electronic access clients |
| WO2012154600A1 (en)* | 2011-05-06 | 2012-11-15 | Apple Inc. | Methods and apparatus for providing management capabilities for access control clients |
| CN102843387B (en)* | 2011-06-20 | 2017-02-01 | 北京太能沃可网络科技股份有限公司 | Cloud computing safety control platform based on safety classification |
| JP5948762B2 (en)* | 2011-08-26 | 2016-07-06 | ソニー株式会社 | Information processing apparatus, communication system, and information processing apparatus control method |
| US8255687B1 (en) | 2011-09-15 | 2012-08-28 | Google Inc. | Enabling users to select between secure service providers using a key escrow service |
| FR2981531A1 (en)* | 2011-10-14 | 2013-04-19 | France Telecom | METHOD OF TRANSFERRING THE CONTROL OF A SECURITY MODULE FROM A FIRST ENTITY TO A SECOND ENTITY |
| US9161226B2 (en) | 2011-10-17 | 2015-10-13 | Blackberry Limited | Associating services to perimeters |
| US9497220B2 (en) | 2011-10-17 | 2016-11-15 | Blackberry Limited | Dynamically generating perimeters |
| KR101937486B1 (en)* | 2011-11-03 | 2019-01-11 | 주식회사 케이티 | Security Domain Authority Handover Control Method of Server, Security Domain Authority Handover Method of Smart Card, Security Domain Authority Handover Method of User Equipment, Server, Smart Card, and User Equipment |
| US9613219B2 (en) | 2011-11-10 | 2017-04-04 | Blackberry Limited | Managing cross perimeter access |
| US8799227B2 (en) | 2011-11-11 | 2014-08-05 | Blackberry Limited | Presenting metadata from multiple perimeters |
| WO2013095573A1 (en) | 2011-12-22 | 2013-06-27 | Intel Corporation | Activation and monetization of features built into storage subsystems using a trusted connect service back end infrastructure |
| US8429409B1 (en)* | 2012-04-06 | 2013-04-23 | Google Inc. | Secure reset of personal and service provider information on mobile devices |
| US9369466B2 (en)* | 2012-06-21 | 2016-06-14 | Blackberry Limited | Managing use of network resources |
| US9173085B2 (en) | 2012-07-06 | 2015-10-27 | Blackberry Limited | Methods and apparatus for use in transferring an assignment of a secure chip subscription managers |
| KR102067474B1 (en)* | 2012-08-29 | 2020-02-24 | 삼성전자 주식회사 | Method for managing shared files and subscriber identidy apparatus embedded in user terminal using the method |
| US8656016B1 (en) | 2012-10-24 | 2014-02-18 | Blackberry Limited | Managing application execution and data access on a device |
| US9075955B2 (en) | 2012-10-24 | 2015-07-07 | Blackberry Limited | Managing permission settings applied to applications |
| US10122656B2 (en) | 2013-08-05 | 2018-11-06 | Oath Inc. | Systems and methods for managing electronic communications |
| US10121015B2 (en)* | 2014-02-21 | 2018-11-06 | Lens Ventures, Llc | Management of data privacy and security in a pervasive computing environment |
| US9348997B2 (en) | 2014-03-13 | 2016-05-24 | Intel Corporation | Symmetric keying and chain of trust |
| US9509502B2 (en)* | 2014-03-13 | 2016-11-29 | Intel Corporation | Symmetric keying and chain of trust |
| US9521125B2 (en) | 2014-03-13 | 2016-12-13 | Intel Corporation | Pseudonymous remote attestation utilizing a chain-of-trust |
| US9479513B1 (en)* | 2014-03-20 | 2016-10-25 | Sandia Corporation | Apparatus, method and system to control accessibility of platform resources based on an integrity level |
| KR102663126B1 (en)* | 2014-06-23 | 2024-05-07 | 오라클 인터내셔날 코포레이션 | System and method for supporting multiple partition edit sessions in a multitenant application server environment |
| SG11201901572PA (en)* | 2016-08-22 | 2019-03-28 | fybr | System for distributed intelligent remote sensing systems |
| GB2553376A (en)* | 2016-09-06 | 2018-03-07 | Trustonic Ltd | Future constraints for hierarchical chain of trust |
| US10673863B2 (en)* | 2017-02-24 | 2020-06-02 | International Business Machines Corporation | Managing inter-object operations in a domain role-based access control (RBAC) system |
| US10878019B2 (en) | 2017-10-20 | 2020-12-29 | Dropbox, Inc. | Hosted storage for third-party services |
| US10979235B2 (en)* | 2017-10-20 | 2021-04-13 | Dropbox, Inc. | Content management system supporting third-party code |
| US11113411B2 (en) | 2017-10-20 | 2021-09-07 | Dropbox, Inc. | Authentication security model for a content management system |
| US10430606B1 (en) | 2018-04-30 | 2019-10-01 | Aras Corporation | System and method for implementing domain based access control on queries of a self-describing data system |
| WO2020010515A1 (en)* | 2018-07-10 | 2020-01-16 | Apple Inc. | Identity-based message integrity protection and verification for wireless communication |
| US10498583B1 (en) | 2019-03-04 | 2019-12-03 | FullArmor Corporation | Active directory bridging of external network resources |
| US10412118B1 (en)* | 2019-03-04 | 2019-09-10 | FullArmor Corporation | Group policy object management of external network resources |
| US11979334B2 (en)* | 2019-07-22 | 2024-05-07 | International Business Machines Corporation | Internet activity compartmentalization |
| US11329954B1 (en) | 2019-07-30 | 2022-05-10 | Berryville Holdings, LLC | Traceless access to remote deployed devices in undisclosed locations |
| US11271958B2 (en) | 2019-09-20 | 2022-03-08 | International Business Machines Corporation | Efficient unsupervised anomaly detection on homomorphically encrypted data |
| US12294614B2 (en) | 2021-04-01 | 2025-05-06 | Cisco Technology, Inc. | Verifying trust postures of heterogeneous confidential computing clusters |
| WO2022213072A1 (en)* | 2021-04-01 | 2022-10-06 | Cisco Technology, Inc. | Verifying trust postures of heterogeneous confidential computing clusters |
| WO2025099519A1 (en)* | 2023-11-10 | 2025-05-15 | Stmicroelectronics International N.V. | Method for associating an embedded universal integrated circuit card with a remote manager module, corresponding device and system architecture |
Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1431862A2 (en)* | 2002-12-18 | 2004-06-23 | Activcard Ireland Limited | Uniform framework for security tokens |
Family Cites Families (32)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| US6330670B1 (en)* | 1998-10-26 | 2001-12-11 | Microsoft Corporation | Digital rights management operating system |
| US6463534B1 (en)* | 1999-03-26 | 2002-10-08 | Motorola, Inc. | Secure wireless electronic-commerce system with wireless network domain |
| US7140039B1 (en)* | 1999-06-08 | 2006-11-21 | The Trustees Of Columbia University In The City Of New York | Identification of an attacker in an electronic system |
| US6990579B1 (en)* | 2000-03-31 | 2006-01-24 | Intel Corporation | Platform and method for remote attestation of a platform |
| US7221935B2 (en)* | 2002-02-28 | 2007-05-22 | Telefonaktiebolaget Lm Ericsson (Publ) | System, method and apparatus for federated single sign-on services |
| US8544084B2 (en)* | 2002-08-19 | 2013-09-24 | Blackberry Limited | System and method for secure control of resources of wireless mobile communication devices |
| US7469417B2 (en)* | 2003-06-17 | 2008-12-23 | Electronic Data Systems Corporation | Infrastructure method and system for authenticated dynamic security domain boundary extension |
| JP4064914B2 (en)* | 2003-12-02 | 2008-03-19 | インターナショナル・ビジネス・マシーンズ・コーポレーション | Information processing apparatus, server apparatus, method for information processing apparatus, method for server apparatus, and apparatus executable program |
| US7490347B1 (en)* | 2004-04-30 | 2009-02-10 | Sap Ag | Hierarchical security domain model |
| US8146142B2 (en)* | 2004-09-03 | 2012-03-27 | Intel Corporation | Device introduction and access control framework |
| US7636333B2 (en)* | 2004-11-16 | 2009-12-22 | Qualcomm Incorporated | Method and apparatus for carrier customization in communication systems |
| JP2006211280A (en)* | 2005-01-27 | 2006-08-10 | Nissan Motor Co Ltd | Mobile communication terminal, mobile communication system, and terminal connection method |
| JP2007006192A (en)* | 2005-06-24 | 2007-01-11 | Kyocera Corp | Communication terminal device |
| CN101379791B (en)* | 2005-12-19 | 2011-11-09 | 艾利森电话股份有限公司 | Technology for providing interoperability within different protocol domains |
| KR100765774B1 (en)* | 2006-01-03 | 2007-10-12 | 삼성전자주식회사 | Method and apparatus for managing domain |
| KR101215343B1 (en)* | 2006-03-29 | 2012-12-26 | 삼성전자주식회사 | Method and Apparatus for Local Domain Management Using Device with Local Domain Authority Module |
| KR101217240B1 (en)* | 2006-04-18 | 2012-12-31 | 주식회사 팬택앤큐리텔 | Domain Policy transmission method for managing the user domain |
| FR2906960B1 (en) | 2006-10-05 | 2009-04-17 | Radiotelephone Sfr | METHOD FOR THE CLOSED DISPOSAL OF AN ELECTRONIC SERVICE. |
| KR100835272B1 (en)* | 2006-11-07 | 2008-06-05 | 한국전자통신연구원 | Apparatus and method for managing components in SSIS system |
| JP4280765B2 (en)* | 2006-11-22 | 2009-06-17 | 株式会社エヌ・ティ・ティ・ドコモ | Mobile communication system, management apparatus, mobile station, and communication method |
| US20080133414A1 (en)* | 2006-12-04 | 2008-06-05 | Samsung Electronics Co., Ltd. | System and method for providing extended domain management when a primary device is unavailable |
| CN101282330B (en)* | 2007-04-04 | 2013-08-28 | 华为技术有限公司 | Method and apparatus for managing network memory access authority, network memory access control method |
| US20080301770A1 (en)* | 2007-05-31 | 2008-12-04 | Kinder Nathan G | Identity based virtual machine selector |
| JP2009033354A (en)* | 2007-07-25 | 2009-02-12 | Panasonic Corp | Communications system |
| DE102007044905A1 (en)* | 2007-09-19 | 2009-04-09 | InterDigital Patent Holdings, Inc., Wilmington | Method and device for enabling service usage and determination of subscriber identity in communication networks by means of software-based access authorization cards (vSIM) |
| US20090150969A1 (en)* | 2007-12-05 | 2009-06-11 | Davis Douglas B | Filtering Policies to Enable Selection of Policy Subsets |
| KR100949808B1 (en)* | 2007-12-07 | 2010-03-30 | 한국전자통신연구원 | P2P traffic management device and method |
| KR101861607B1 (en) | 2008-01-18 | 2018-05-29 | 인터디지탈 패튼 홀딩스, 인크 | Method and apparatus for enabling machine to machine communication |
| US8230069B2 (en)* | 2008-03-04 | 2012-07-24 | International Business Machines Corporation | Server and storage-aware method for selecting virtual machine migration targets |
| CN101262474B (en)* | 2008-04-22 | 2012-02-01 | 武汉理工大学 | A Cross-Domain Access Control System Realizing Role and Group Mapping Based on Cross-Domain Authorization Intermediary |
| TW201012187A (en)* | 2008-08-25 | 2010-03-16 | Interdigital Patent Holdings | Universal integrated circuit card having a virtual subscriber identity module functionality |
| US9807608B2 (en) | 2009-04-20 | 2017-10-31 | Interdigital Patent Holdings, Inc. | System of multiple domains and domain ownership |
- 2010
- 2010-04-20USUS12/763,827patent/US9807608B2/ennot_activeExpired - Fee Related
- 2010-04-20CNCN201080017547.2Apatent/CN102405630B/ennot_activeExpired - Fee Related
- 2010-04-20KRKR1020117027546Apatent/KR101378109B1/ennot_activeExpired - Fee Related
- 2010-04-20EPEP10716954.2Apatent/EP2422503B1/ennot_activeNot-in-force
- 2010-04-20CNCN201710165897.7Apatent/CN107332816A/enactivePending
- 2010-04-20TWTW099112331Apatent/TWI435584B/ennot_activeIP Right Cessation
- 2010-04-20TWTW100124849Apatent/TWI531195B/ennot_activeIP Right Cessation
- 2010-04-20WOPCT/US2010/031739patent/WO2010123890A1/enactiveApplication Filing
- 2010-04-20JPJP2012507310Apatent/JP5643292B2/ennot_activeExpired - Fee Related
- 2010-04-20EPEP15151652.3Apatent/EP2897341B1/ennot_activeNot-in-force
- 2014
- 2014-10-30JPJP2014221949Apatent/JP5987039B2/ennot_activeExpired - Fee Related
- 2016
- 2016-08-08JPJP2016155777Apatent/JP2016213889A/ennot_activeCeased
- 2017
- 2017-10-30USUS15/797,197patent/US20180152841A1/ennot_activeAbandoned
- 2017-11-06JPJP2017214093Apatent/JP2018063716A/ennot_activeCeased
Patent Citations (1)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| EP1431862A2 (en)* | 2002-12-18 | 2004-06-23 | Activcard Ireland Limited | Uniform framework for security tokens |
Non-Patent Citations (1)
| Title |
|---|
| REINALDO MATUSHIMA等: "Multiple Personal Security Domains", 《IWCMC ’06 PROCEEDINGS OF THE 2006 INTERNATIONAL CONFERENCE ON WIRELESS COMMUNICATIONS AND MOBILE COMPUTING》* |
Cited By (16)
| Publication number | Priority date | Publication date | Assignee | Title |
|---|---|---|---|---|
| CN104823408A (en)* | 2012-12-06 | 2015-08-05 | 高通股份有限公司 | Management of Network Devices Using Authorization Tokens |
| CN110035110B (en)* | 2013-02-15 | 2021-12-10 | 康维达无线有限责任公司 | Cross-domain service layer resource propagation method and equipment |
| CN110035110A (en)* | 2013-02-15 | 2019-07-19 | 康维达无线有限责任公司 | Cross-domain services layer resource is propagated |
| CN105493099B (en)* | 2013-07-01 | 2018-09-25 | 亚马逊技术有限公司 | Cryptographically attested resources for hosting virtual machines |
| CN105493099A (en)* | 2013-07-01 | 2016-04-13 | 亚马逊技术有限公司 | Cryptographically attested resources for hosting virtual machines |
| US10469472B2 (en) | 2013-08-12 | 2019-11-05 | Cis Maxwell, Llc | Operating system integrated domain management |
| CN105830477A (en)* | 2013-08-12 | 2016-08-03 | 哥莱菲特软件公司 | Operating system integrated domain management |
| US11356431B2 (en) | 2013-08-12 | 2022-06-07 | Cis Maxwell, Llc | Operating system integrated domain management |
| US10230717B2 (en) | 2013-11-21 | 2019-03-12 | Cis Maxwell, Llc | Managed domains for remote content and configuration control on mobile information devices |
| US10951608B2 (en) | 2013-11-21 | 2021-03-16 | Cis Maxwell, Llc | Managed domains for remote content and configuration control on mobile information devices |
| US11876794B2 (en) | 2013-11-21 | 2024-01-16 | Cis Maxwell, Llc | Managed domains for remote content and configuration control on mobile information devices |
| CN106330813A (en)* | 2015-06-16 | 2017-01-11 | 华为技术有限公司 | A method, device and system for processing authorization |
| CN108140092A (en)* | 2015-12-02 | 2018-06-08 | 密码研究公司 | Equipment with multiple trusted roots |
| CN108140092B (en)* | 2015-12-02 | 2022-04-01 | 密码研究公司 | Device with multiple roots of trust |
| CN109450519A (en)* | 2018-10-30 | 2019-03-08 | 航天东方红卫星有限公司 | A kind of spaceborne total digitalization USB answering machine |
| CN109450519B (en)* | 2018-10-30 | 2021-06-11 | 航天东方红卫星有限公司 | Satellite-borne full-digital USB (universal serial bus) transponder |
Also Published As
| Publication number | Publication date |
|---|---|
| EP2897341A1 (en) | 2015-07-22 |
| EP2422503A1 (en) | 2012-02-29 |
| JP2012524502A (en) | 2012-10-11 |
| JP5643292B2 (en) | 2014-12-17 |
| JP2016213889A (en) | 2016-12-15 |
| KR101378109B1 (en) | 2014-03-26 |
| TWI435584B (en) | 2014-04-21 |
| US9807608B2 (en) | 2017-10-31 |
| JP5987039B2 (en) | 2016-09-06 |
| CN102405630B (en) | 2017-04-12 |
| TW201220794A (en) | 2012-05-16 |
| US20110099605A1 (en) | 2011-04-28 |
| JP2018063716A (en) | 2018-04-19 |
| WO2010123890A1 (en) | 2010-10-28 |
| TW201129042A (en) | 2011-08-16 |
| EP2422503B1 (en) | 2015-03-04 |
| CN107332816A (en) | 2017-11-07 |
| TWI531195B (en) | 2016-04-21 |
| JP2015073279A (en) | 2015-04-16 |
| US20180152841A1 (en) | 2018-05-31 |
| EP2897341B1 (en) | 2016-11-09 |
| KR20120004528A (en) | 2012-01-12 |
Similar Documents
| Publication | Publication Date | Title |
|---|---|---|
| CN102405630B (en) | A system of multiple domains and domain ownership | |
| US9391981B2 (en) | Registration and credential roll-out for accessing a subscription-based service | |
| US9032473B2 (en) | Migration of credentials and/or domains between trusted hardware subscription modules | |
| US20180091978A1 (en) | Universal Integrated Circuit Card Having A Virtual Subscriber Identity Module Functionality | |
| HK1169228A (en) | System of multiple domains and domain ownership | |
| HK1175902A (en) | Registration and credential roll-out for accessing a subscription-based service |
Legal Events
| Date | Code | Title | Description |
|---|---|---|---|
| C06 | Publication | ||
| PB01 | Publication | ||
| C10 | Entry into substantive examination | ||
| SE01 | Entry into force of request for substantive examination | ||
| REG | Reference to a national code | Ref country code:HK Ref legal event code:DE Ref document number:1169228 Country of ref document:HK | |
| GR01 | Patent grant | ||
| GR01 | Patent grant | ||
| REG | Reference to a national code | Ref country code:HK Ref legal event code:WD Ref document number:1169228 Country of ref document:HK | |
| CF01 | Termination of patent right due to non-payment of annual fee | ||
| CF01 | Termination of patent right due to non-payment of annual fee | Granted publication date:20170412 Termination date:20180420 |